Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Contract #U2116 KB #U2013 08152024 - 1.pif.exe

Overview

General Information

Sample name:Contract #U2116 KB #U2013 08152024 - 1.pif.exe
renamed because original name is a hash value
Original sample name:Contract KB 08152024 - 1.pif.exe
Analysis ID:1517889
MD5:0d691a633beee6186b92c949b1d517ec
SHA1:9fdbbfe61d00c5a665b2ecbb289911174d398b3a
SHA256:5ae089cf078ddd0de067269cc5b8334998c0bb38c7abd508733d51e79d8a792e
Tags:exepifRedLineStealeruser-abuse_ch
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected RedLine Stealer
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • Contract #U2116 KB #U2013 08152024 - 1.pif.exe (PID: 432 cmdline: "C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe" MD5: 0D691A633BEEE6186B92C949B1D517EC)
    • powershell.exe (PID: 2172 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 1576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7296 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 3292 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pnizSfmxsGVsXD" /XML "C:\Users\user\AppData\Local\Temp\tmpFABF.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 2072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • pnizSfmxsGVsXD.exe (PID: 7340 cmdline: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe MD5: 0D691A633BEEE6186B92C949B1D517EC)
    • schtasks.exe (PID: 7500 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pnizSfmxsGVsXD" /XML "C:\Users\user\AppData\Local\Temp\tmpC43.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • pnizSfmxsGVsXD.exe (PID: 7548 cmdline: "C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe" MD5: 0D691A633BEEE6186B92C949B1D517EC)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["141.98.10.33:1912"], "Bot Id": "foz", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000007.00000002.2226506822.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            00000000.00000002.2118443806.0000000003820000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              00000000.00000002.2118443806.000000000387A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                Click to see the 11 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.37ec758.1.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.3837978.3.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.37ec758.1.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                      7.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                        0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.3837978.3.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security

                          Sigma Signatures

                          System Summary

                          barindex
                          Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe", ParentImage: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe, ParentProcessId: 432, ParentProcessName: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe", ProcessId: 2172, ProcessName: powershell.exe
                          Sigma detected: Powershell Defender Exclusion
                          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe", ParentImage: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe, ParentProcessId: 432, ParentProcessName: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe", ProcessId: 2172, ProcessName: powershell.exe
                          Sigma detected: Suspicious Add Scheduled Task Parent
                          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pnizSfmxsGVsXD" /XML "C:\Users\user\AppData\Local\Temp\tmpC43.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pnizSfmxsGVsXD" /XML "C:\Users\user\AppData\Local\Temp\tmpC43.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe, ParentImage: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe, ParentProcessId: 7340, ParentProcessName: pnizSfmxsGVsXD.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pnizSfmxsGVsXD" /XML "C:\Users\user\AppData\Local\Temp\tmpC43.tmp", ProcessId: 7500, ProcessName: schtasks.exe
                          Sigma detected: Suspicious Schtasks From Env Var Folder
                          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pnizSfmxsGVsXD" /XML "C:\Users\user\AppData\Local\Temp\tmpFABF.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pnizSfmxsGVsXD" /XML "C:\Users\user\AppData\Local\Temp\tmpFABF.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe", ParentImage: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe, ParentProcessId: 432, ParentProcessName: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pnizSfmxsGVsXD" /XML "C:\Users\user\AppData\Local\Temp\tmpFABF.tmp", ProcessId: 3292, ProcessName: schtasks.exe
                          Sigma detected: Non Interactive PowerShell Process Spawned
                          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe", ParentImage: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe, ParentProcessId: 432, ParentProcessName: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe", ProcessId: 2172, ProcessName: powershell.exe

                          Persistence and Installation Behavior

                          barindex
                          Sigma detected: Scheduled temp file as task from temp location
                          Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pnizSfmxsGVsXD" /XML "C:\Users\user\AppData\Local\Temp\tmpFABF.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pnizSfmxsGVsXD" /XML "C:\Users\user\AppData\Local\Temp\tmpFABF.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe", ParentImage: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe, ParentProcessId: 432, ParentProcessName: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pnizSfmxsGVsXD" /XML "C:\Users\user\AppData\Local\Temp\tmpFABF.tmp", ProcessId: 3292, ProcessName: schtasks.exe

                          Suricata Signatures

                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-09-25T08:47:11.177939+020020432341A Network Trojan was detected141.98.10.331912192.168.2.549708TCP
                          2024-09-25T08:47:13.315234+020020432341A Network Trojan was detected141.98.10.331912192.168.2.549710TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-09-25T08:47:10.973037+020020432311A Network Trojan was detected192.168.2.549708141.98.10.331912TCP
                          2024-09-25T08:47:13.113522+020020432311A Network Trojan was detected192.168.2.549710141.98.10.331912TCP
                          2024-09-25T08:47:16.577889+020020432311A Network Trojan was detected192.168.2.549708141.98.10.331912TCP
                          2024-09-25T08:47:18.484266+020020432311A Network Trojan was detected192.168.2.549710141.98.10.331912TCP
                          2024-09-25T08:47:19.901636+020020432311A Network Trojan was detected192.168.2.549708141.98.10.331912TCP
                          2024-09-25T08:47:20.135749+020020432311A Network Trojan was detected192.168.2.549708141.98.10.331912TCP
                          2024-09-25T08:47:22.250549+020020432311A Network Trojan was detected192.168.2.549710141.98.10.331912TCP
                          2024-09-25T08:47:22.483812+020020432311A Network Trojan was detected192.168.2.549710141.98.10.331912TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-09-25T08:47:18.623727+020020460561A Network Trojan was detected141.98.10.331912192.168.2.549708TCP
                          2024-09-25T08:47:21.279917+020020460561A Network Trojan was detected141.98.10.331912192.168.2.549710TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-09-25T08:47:10.973037+020020460451A Network Trojan was detected192.168.2.549708141.98.10.331912TCP
                          2024-09-25T08:47:13.113522+020020460451A Network Trojan was detected192.168.2.549710141.98.10.331912TCP

                          Joe Sandbox Signatures

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection

                          barindex
                          Found malware configuration
                          Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.37ec758.1.raw.unpackMalware Configuration Extractor: RedLine {"C2 url": ["141.98.10.33:1912"], "Bot Id": "foz", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}
                          Multi AV Scanner detection for dropped file
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeReversingLabs: Detection: 55%
                          Multi AV Scanner detection for submitted file
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exeReversingLabs: Detection: 55%
                          AI detected suspicious sample
                          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                          Machine Learning detection for dropped file
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeJoe Sandbox ML: detected
                          Machine Learning detection for sample
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exeJoe Sandbox ML: detected
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Source: Binary string: iyRY.pdb source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, pnizSfmxsGVsXD.exe.0.dr
                          Source: Binary string: iyRY.pdbSHA256R source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, pnizSfmxsGVsXD.exe.0.dr
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeCode function: 4x nop then inc dword ptr [ebp-0Ch]0_2_04C837AC
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeCode function: 4x nop then jmp 06DD6E47h7_2_06DD66E8
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeCode function: 4x nop then jmp 06DD2483h7_2_06DD2250
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeCode function: 4x nop then jmp 06DD6644h7_2_06DD6380
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeCode function: 4x nop then jmp 06DD92B0h7_2_06DD8DB8
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeCode function: 4x nop then jmp 06DD125Dh7_2_06DD123C
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeCode function: 4x nop then jmp 06DD5322h7_2_06DD530A
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h7_2_07DC3478
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeCode function: 4x nop then jmp 07DC3E7Ah7_2_07DC3A58
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeCode function: 4x nop then jmp 07DC42FAh7_2_07DC3A58
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeCode function: 4x nop then jmp 06C5447Fh9_2_06C54A87

                          Networking

                          barindex
                          Suricata IDS alerts for network traffic
                          Source: Network trafficSuricata IDS: 2043231 - Severity 1 - ET MALWARE Redline Stealer TCP CnC Activity : 192.168.2.5:49710 -> 141.98.10.33:1912
                          Source: Network trafficSuricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.5:49710 -> 141.98.10.33:1912
                          Source: Network trafficSuricata IDS: 2043234 - Severity 1 - ET MALWARE Redline Stealer TCP CnC - Id1Response : 141.98.10.33:1912 -> 192.168.2.5:49710
                          Source: Network trafficSuricata IDS: 2043231 - Severity 1 - ET MALWARE Redline Stealer TCP CnC Activity : 192.168.2.5:49708 -> 141.98.10.33:1912
                          Source: Network trafficSuricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.5:49708 -> 141.98.10.33:1912
                          Source: Network trafficSuricata IDS: 2043234 - Severity 1 - ET MALWARE Redline Stealer TCP CnC - Id1Response : 141.98.10.33:1912 -> 192.168.2.5:49708
                          Source: Network trafficSuricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 141.98.10.33:1912 -> 192.168.2.5:49710
                          Source: Network trafficSuricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 141.98.10.33:1912 -> 192.168.2.5:49708
                          C2 URLs / IPs found in malware configuration
                          Source: Malware configuration extractorURLs: 141.98.10.33:1912
                          Source: global trafficTCP traffic: 192.168.2.5:49708 -> 141.98.10.33:1912
                          Source: Joe Sandbox ViewASN Name: HOSTBALTICLT HOSTBALTICLT
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2228781019.000000000161E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://purl.oen
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000000.00000002.2117587357.00000000027A2000.00000004.00000800.00020000.00000000.sdmp, Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 00000009.00000002.2167015302.0000000002737000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003420000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003420000.00000004.00000800.00020000.00000000.sdmp, Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003420000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3ResponseD
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                          Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2264212080.0000000003C0B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000000.00000002.2118443806.000000000387A000.00000004.00000800.00020000.00000000.sdmp, Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000000.00000002.2118443806.0000000003820000.00000004.00000800.00020000.00000000.sdmp, Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000000.00000002.2118443806.0000000003759000.00000004.00000800.00020000.00000000.sdmp, Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2226506822.0000000000402000.00000040.00000400.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                          Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2264212080.0000000003C0B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                          Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2264212080.0000000003C0B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                          Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2264212080.0000000003C0B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                          Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2264212080.0000000003C0B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                          Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2264212080.0000000003C0B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                          Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2264212080.0000000003C0B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                          Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2264212080.0000000003C0B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                          Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2264212080.0000000003C0B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeCode function: 0_2_00A1D5BC0_2_00A1D5BC
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeCode function: 0_2_04C871800_2_04C87180
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeCode function: 0_2_04C854FB0_2_04C854FB
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeCode function: 0_2_04C8551F0_2_04C8551F
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeCode function: 0_2_04C855300_2_04C85530
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeCode function: 0_2_04C8F0880_2_04C8F088
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeCode function: 0_2_04C871700_2_04C87170
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeCode function: 0_2_04C8EC500_2_04C8EC50
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeCode function: 7_2_0136DC747_2_0136DC74
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeCode function: 7_2_06DD66E87_2_06DD66E8
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeCode function: 7_2_06DD05907_2_06DD0590
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeCode function: 7_2_06DD12F07_2_06DD12F0
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeCode function: 7_2_06DD42B87_2_06DD42B8
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeCode function: 7_2_06DD72187_2_06DD7218
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeCode function: 7_2_06DD00407_2_06DD0040
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeCode function: 7_2_06DD2E087_2_06DD2E08
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeCode function: 7_2_06DD3C787_2_06DD3C78
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeCode function: 7_2_06DD8DB87_2_06DD8DB8
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeCode function: 7_2_06DD4A207_2_06DD4A20
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeCode function: 7_2_06DDABB87_2_06DDABB8
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeCode function: 7_2_06DDB9187_2_06DDB918
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeCode function: 7_2_06DD12E07_2_06DD12E0
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeCode function: 7_2_06DD3C6A7_2_06DD3C6A
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeCode function: 7_2_06DD59207_2_06DD5920
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeCode function: 7_2_07DC2F707_2_07DC2F70
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeCode function: 7_2_07DC97707_2_07DC9770
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeCode function: 7_2_07DC0E607_2_07DC0E60
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeCode function: 7_2_07DC66287_2_07DC6628
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeCode function: 7_2_07DC34787_2_07DC3478
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeCode function: 7_2_07DC5C007_2_07DC5C00
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeCode function: 7_2_07DC12E07_2_07DC12E0
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeCode function: 7_2_07DC3A587_2_07DC3A58
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeCode function: 7_2_07DC19E87_2_07DC19E8
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeCode function: 7_2_07DC00407_2_07DC0040
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeCode function: 7_2_07DC08087_2_07DC0808
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeCode function: 7_2_07DC28287_2_07DC2828
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeCode function: 7_2_07DC34687_2_07DC3468
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeCode function: 7_2_07DC4AE07_2_07DC4AE0
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeCode function: 7_2_07DC3A477_2_07DC3A47
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeCode function: 7_2_07DC00077_2_07DC0007
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeCode function: 9_2_026CD5BC9_2_026CD5BC
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeCode function: 9_2_06C525389_2_06C52538
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeCode function: 9_2_06C5439B9_2_06C5439B
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeCode function: 9_2_06C50D289_2_06C50D28
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeCode function: 9_2_06C525339_2_06C52533
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeCode function: 9_2_06C50D389_2_06C50D38
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeCode function: 9_2_06C512489_2_06C51248
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeCode function: 9_2_06C570F09_2_06C570F0
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeCode function: 12_2_00E8DC7412_2_00E8DC74
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeCode function: 12_2_02BA885012_2_02BA8850
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeCode function: 12_2_02BAEE5812_2_02BAEE58
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeCode function: 12_2_02BA000612_2_02BA0006
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeCode function: 12_2_02BA004012_2_02BA0040
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeCode function: 12_2_02BA884012_2_02BA8840
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeCode function: 12_2_055BB5B012_2_055BB5B0
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeCode function: 12_2_055B766012_2_055B7660
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeCode function: 12_2_055B96C812_2_055B96C8
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeCode function: 12_2_055BB17012_2_055BB170
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeCode function: 12_2_055B692812_2_055B6928
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeCode function: 12_2_055BB9E812_2_055BB9E8
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeCode function: 12_2_06F1970012_2_06F19700
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeCode function: 12_2_06F1564812_2_06F15648
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeCode function: 12_2_06F1563812_2_06F15638
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000000.00000002.2115675768.00000000008AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Contract #U2116 KB #U2013 08152024 - 1.pif.exe
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000000.00000002.2123176275.0000000006850000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Contract #U2116 KB #U2013 08152024 - 1.pif.exe
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000000.00000002.2118443806.000000000387A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs Contract #U2116 KB #U2013 08152024 - 1.pif.exe
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000000.00000002.2118443806.0000000003820000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs Contract #U2116 KB #U2013 08152024 - 1.pif.exe
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000000.00000000.2065004701.00000000002B0000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameiyRY.exe6 vs Contract #U2116 KB #U2013 08152024 - 1.pif.exe
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000000.00000002.2118443806.00000000039FB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs Contract #U2116 KB #U2013 08152024 - 1.pif.exe
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000000.00000002.2118443806.00000000039FB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Contract #U2116 KB #U2013 08152024 - 1.pif.exe
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs Contract #U2116 KB #U2013 08152024 - 1.pif.exe
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2226506822.0000000000446000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs Contract #U2116 KB #U2013 08152024 - 1.pif.exe
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2226945726.00000000010E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Contract #U2116 KB #U2013 08152024 - 1.pif.exe
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exeBinary or memory string: OriginalFilenameiyRY.exe6 vs Contract #U2116 KB #U2013 08152024 - 1.pif.exe
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: pnizSfmxsGVsXD.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.3a259e0.2.raw.unpack, aob4t2heYGD5OpupvU.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                          Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.6850000.5.raw.unpack, aob4t2heYGD5OpupvU.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                          Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.6850000.5.raw.unpack, oE46Ol8Efu3c0MYDGh.csSecurity API names: _0020.SetAccessControl
                          Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.6850000.5.raw.unpack, oE46Ol8Efu3c0MYDGh.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                          Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.6850000.5.raw.unpack, oE46Ol8Efu3c0MYDGh.csSecurity API names: _0020.AddAccessRule
                          Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.3a259e0.2.raw.unpack, oE46Ol8Efu3c0MYDGh.csSecurity API names: _0020.SetAccessControl
                          Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.3a259e0.2.raw.unpack, oE46Ol8Efu3c0MYDGh.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                          Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.3a259e0.2.raw.unpack, oE46Ol8Efu3c0MYDGh.csSecurity API names: _0020.AddAccessRule
                          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@16/11@0/1
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeFile created: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeJump to behavior
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2072:120:WilError_03
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeMutant created: NULL
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1576:120:WilError_03
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7512:120:WilError_03
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeMutant created: \Sessions\1\BaseNamedObjects\IZmDGqJiypaEKrNLtetGpeOr
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeFile created: C:\Users\user\AppData\Local\Temp\tmpFABF.tmpJump to behavior
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                          Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000303C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exeReversingLabs: Detection: 55%
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeFile read: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeJump to behavior
                          Source: unknownProcess created: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe "C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe"
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe"
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pnizSfmxsGVsXD" /XML "C:\Users\user\AppData\Local\Temp\tmpFABF.tmp"
                          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess created: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe "C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe"
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                          Source: unknownProcess created: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pnizSfmxsGVsXD" /XML "C:\Users\user\AppData\Local\Temp\tmpC43.tmp"
                          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess created: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe "C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe"
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe"Jump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pnizSfmxsGVsXD" /XML "C:\Users\user\AppData\Local\Temp\tmpFABF.tmp"Jump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess created: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe "C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe"Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pnizSfmxsGVsXD" /XML "C:\Users\user\AppData\Local\Temp\tmpC43.tmp"Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess created: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe "C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe"Jump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeSection loaded: dwrite.dllJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeSection loaded: windowscodecs.dllJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeSection loaded: ntmarta.dllJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeSection loaded: edputil.dllJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeSection loaded: appresolver.dllJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeSection loaded: bcp47langs.dllJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeSection loaded: slc.dllJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeSection loaded: sppc.dllJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeSection loaded: dwrite.dllJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeSection loaded: mswsock.dllJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeSection loaded: secur32.dllJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeSection loaded: wbemcomn.dllJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeSection loaded: windowscodecs.dllJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeSection loaded: dpapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeSection loaded: rstrtmgr.dllJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeSection loaded: ncrypt.dllJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeSection loaded: ntasn1.dllJump to behavior
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeSection loaded: dwrite.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeSection loaded: windowscodecs.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeSection loaded: edputil.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeSection loaded: appresolver.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeSection loaded: bcp47langs.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeSection loaded: slc.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeSection loaded: sppc.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeSection loaded: dwrite.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeSection loaded: mswsock.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeSection loaded: secur32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeSection loaded: wbemcomn.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeSection loaded: dpapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeSection loaded: rstrtmgr.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeSection loaded: ncrypt.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeSection loaded: ntasn1.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeSection loaded: windowscodecs.dllJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                          Source: Window RecorderWindow detected: More than 3 window changes detected
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                          Source: Binary string: iyRY.pdb source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, pnizSfmxsGVsXD.exe.0.dr
                          Source: Binary string: iyRY.pdbSHA256R source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, pnizSfmxsGVsXD.exe.0.dr

                          Data Obfuscation

                          barindex
                          .NET source code contains potential unpacker
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, VentanaPrincipal.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
                          Source: pnizSfmxsGVsXD.exe.0.dr, VentanaPrincipal.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
                          Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.6850000.5.raw.unpack, oE46Ol8Efu3c0MYDGh.cs.Net Code: ETxi5qnsEW System.Reflection.Assembly.Load(byte[])
                          Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.2786fac.0.raw.unpack, QBy45BY4uMbUQs88Qq.cs.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
                          Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.3a259e0.2.raw.unpack, oE46Ol8Efu3c0MYDGh.cs.Net Code: ETxi5qnsEW System.Reflection.Assembly.Load(byte[])
                          Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.4cd0000.4.raw.unpack, QBy45BY4uMbUQs88Qq.cs.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
                          Source: 9.2.pnizSfmxsGVsXD.exe.2716f34.0.raw.unpack, QBy45BY4uMbUQs88Qq.cs.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exeStatic PE information: 0xB47BDC83 [Mon Dec 14 11:37:39 2065 UTC]
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeCode function: 7_2_06DD1AE9 push E406D552h; iretd 7_2_06DD1AF5
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeCode function: 9_2_06C55240 pushad ; iretd 9_2_06C55241
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeCode function: 9_2_06C5421E push ebx; ret 9_2_06C5422E
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeCode function: 12_2_02BAD442 push eax; ret 12_2_02BAD451
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exeStatic PE information: section name: .text entropy: 7.853179629516152
                          Source: pnizSfmxsGVsXD.exe.0.drStatic PE information: section name: .text entropy: 7.853179629516152
                          Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.6850000.5.raw.unpack, t8BfSJvdolSXb98ZHZ.csHigh entropy of concatenated method names: 'zbJMWpuXaI', 'HwrM6okT9H', 'dM0MiFrcvU', 'RFsMNfUeVh', 'qBnMQUfCQC', 'cqAMZBB26X', 'sTgMLbGBZ6', 'BaMnONF12u', 'ra7njIT1do', 'bJunhre2i9'
                          Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.6850000.5.raw.unpack, gUAnaPdgob4AM4q2shE.csHigh entropy of concatenated method names: 'LcfMcuh1ot', 'sPLMbab0Et', 'YPAM5eYZk5', 'CwgMfgSqYV', 'GFEMFWrbjw', 'jYKM7uVKa6', 'SduMtdBQf7', 'NxlMyCF0O4', 'msDMS2QKPl', 'dgeM0Su9Cd'
                          Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.6850000.5.raw.unpack, Vmtwl9Y9dRljbbaoBD.csHigh entropy of concatenated method names: 'jhflyj34U3', 's4TlSkYcrB', 'ehhlpjDojl', 'nxRl4ocOo1', 'v5blHKTm8L', 'rD1lT8ZfZg', 'IfblA8Bj5R', 'pCQlwQW5KD', 'I8LlYP8nFa', 'wcLl9s1N5Z'
                          Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.6850000.5.raw.unpack, aob4t2heYGD5OpupvU.csHigh entropy of concatenated method names: 'qV6QBZT0Xl', 'AKHQDJdKb5', 'vW4QG6bUx6', 'QhTQ8Col8g', 'IEOQ1qJOrr', 'VEHQqlOrHF', 'zMlQOQXna7', 'kKUQj1NGuy', 'Iy9QhZoUp8', 'lfJQaMwSuT'
                          Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.6850000.5.raw.unpack, Ka6k6Mwr0D0ucUCC1g.csHigh entropy of concatenated method names: 'Uq2ZFk6704', 'C8OZtT3Jfx', 'buJEP9ffhk', 'J8aEHsecFT', 'E67ETmZW1o', 'yxsEupVLqf', 'mcaEAuyaK6', 'vIDEwBR84W', 'JFsEoBZvLv', 'nsOEYCkhFs'
                          Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.6850000.5.raw.unpack, IYrgodMO50VvajIKYP.csHigh entropy of concatenated method names: 'xLhnpGvV9X', 'WEOn4T9TF1', 'MXAnPVCX1N', 'BpZnHqssl1', 'yCwnBitGBd', 'ALbnTQYQrZ', 'Next', 'Next', 'Next', 'NextBytes'
                          Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.6850000.5.raw.unpack, JQQ8G91OrsrY7GJHO0.csHigh entropy of concatenated method names: 'SgOerwAHlp', 'aMkeVLJipk', 'ToString', 'xAKeN92kLn', 'eQLeQWDH8w', 'SYheE1Rm6x', 'IDTeZ4SGqV', 'oTleLsqtSA', 'TFPektQOBT', 'ryMe21sfty'
                          Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.6850000.5.raw.unpack, jYviHnddrr0PJ0tP51h.csHigh entropy of concatenated method names: 'ToString', 'OHTJ6vIQOI', 'LS1Jix9nJE', 'YMjJs3nGEV', 'yyeJNkEDCh', 'LbLJQ50AVt', 'eelJESEWMc', 'HZpJZ8Dvk4', 'B92nhOo2c9lH05qiD75', 'LecFpRo6KiC0WXC2iuv'
                          Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.6850000.5.raw.unpack, DpOUlnkoIN9Lf7ghK2.csHigh entropy of concatenated method names: 'juVWk2B6pU', 'OA7W2NGb1o', 'I1lWr43bIa', 'F0WWVTIXuT', 'CXkW39sSKL', 't1tWX0g8qU', 'hG0PS83q47dhCY7jeT', 'VbkVZBT6oXepAISMd4', 'DDDWWmjZVE', 'nB7W6q9TcA'
                          Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.6850000.5.raw.unpack, k3RSvedZF8e4WY8RjHA.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'J4DJBVveI2', 'xjtJDUeSJH', 'wYxJGGj43m', 'XxSJ8wSELd', 'A87J14DWNx', 'EVMJqFgxqw', 'dArJOHQb01'
                          Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.6850000.5.raw.unpack, gUSEHEnBKjhn4ujvyO.csHigh entropy of concatenated method names: 'HGtEfVDiWJ', 'tKTE7bsDuD', 'rQTEy0JDXS', 'TfFESwGHLB', 'V0oE328SC2', 'eONEX2QEcB', 'z3vEeSc9cq', 'cUuEnTFEeT', 'pigEMWNvXl', 'h3tEJ8EUv8'
                          Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.6850000.5.raw.unpack, k55U5StuS7Zy5fosYf.csHigh entropy of concatenated method names: 'CcGkcbGHJH', 'so8kbAER6v', 'FJCk5OEAKT', 'o0wkfo9e0Z', 'De0kFyEK4n', 'lTak7PXEfL', 'uVIktNAKM7', 'nHukypPDS9', 'L43kSKseqo', 'FYgk02KkRm'
                          Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.6850000.5.raw.unpack, mcaRcvfNXqfY8LNXHm.csHigh entropy of concatenated method names: 'Dispose', 'kBiWhNGZ0e', 'npPC4lOVH8', 'htCII8fWAg', 'GCnWakeRCO', 'sd0Wz5Uf18', 'ProcessDialogKey', 'MHrCRHOYM8', 'vR1CWujLTb', 'eC0CCciZ8p'
                          Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.6850000.5.raw.unpack, uYVhrQaCKVqgV6fxij.csHigh entropy of concatenated method names: 'il5LsFpQa4', 'V3CLQBoHw5', 'MQILZRFDTv', 'DLZLkhWWkH', 'ljWL2aJZkh', 'z9bZ1ZdK8W', 'XvpZquVSNG', 'V3QZOvTPVR', 'X3nZjeNl3P', 'sO9ZhTwh3E'
                          Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.6850000.5.raw.unpack, oE46Ol8Efu3c0MYDGh.csHigh entropy of concatenated method names: 'bqv6sfddrk', 'i1M6NepbBV', 'ogd6Ql3lUD', 'Erk6E743hw', 'es76ZaVsf7', 'O8d6LpHxyr', 'Hej6koOPHv', 'LHn62eoA0h', 'DFx6KgraYL', 'YY66rlN8Vk'
                          Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.6850000.5.raw.unpack, plS6Ltr08cFW71LhNs.csHigh entropy of concatenated method names: 'V7iej0TqXl', 'RUBeaLe4m3', 'NqPnRBc5VU', 'IlNnWH6ZVi', 'xs0e9SCC1d', 'y43emytF8m', 'gUWexafiUH', 'PWGeBrtIsA', 'cOkeDV9PoE', 'lk0eGyd46P'
                          Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.6850000.5.raw.unpack, erBRkjxbU1T4atAV7u.csHigh entropy of concatenated method names: 'KM15iKvrG', 'VsnfKgilK', 'XuO7y0CZg', 'D1CtVicod', 'kPZSFraIH', 'bmh01UQI4', 'Q2IrEY5IDjbp8XIILu', 'E3RABX2Kqv8Ec4emSP', 'Asknsh8ok', 'YP6JZWVwM'
                          Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.6850000.5.raw.unpack, LNyn5VjGJTGPVJvtpV.csHigh entropy of concatenated method names: 'ToString', 'akHX9TDCYg', 'WJ9X4ajyYL', 'vBQXPw8ivV', 'eSpXH8ki0S', 'QHOXTGYqA1', 'YXcXuLxCQv', 'nXtXAtrBA7', 'SWMXwXtD6J', 'kuLXoiRCgs'
                          Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.6850000.5.raw.unpack, S2Pg5gAjEvxZ6e10mF.csHigh entropy of concatenated method names: 'FP1nN1gFff', 'TRcnQ0F4DN', 'TDZnER2FfR', 'xNxnZEZF04', 'WEinLqABbH', 'PP1nkya7Er', 'LuWn25KhOE', 'yjvnKfHjpD', 'fXInrCX8Ok', 'L5JnVjWPvm'
                          Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.6850000.5.raw.unpack, Pqya1HTwswL1L7khJx.csHigh entropy of concatenated method names: 'mIqkNcSSyB', 'IvvkEe2MB5', 'eRSkLH7QFK', 'SLcLaEFmsh', 'kfXLzaa2Zm', 'Ak1kRI0I8x', 'L71kW3prDR', 'BcckC1ndw6', 'akIk6LOyIZ', 'PTski8px54'
                          Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.2786fac.0.raw.unpack, kD0JNdgNBriBGn5egS.csHigh entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
                          Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.2786fac.0.raw.unpack, QBy45BY4uMbUQs88Qq.csHigh entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
                          Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.3a259e0.2.raw.unpack, t8BfSJvdolSXb98ZHZ.csHigh entropy of concatenated method names: 'zbJMWpuXaI', 'HwrM6okT9H', 'dM0MiFrcvU', 'RFsMNfUeVh', 'qBnMQUfCQC', 'cqAMZBB26X', 'sTgMLbGBZ6', 'BaMnONF12u', 'ra7njIT1do', 'bJunhre2i9'
                          Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.3a259e0.2.raw.unpack, gUAnaPdgob4AM4q2shE.csHigh entropy of concatenated method names: 'LcfMcuh1ot', 'sPLMbab0Et', 'YPAM5eYZk5', 'CwgMfgSqYV', 'GFEMFWrbjw', 'jYKM7uVKa6', 'SduMtdBQf7', 'NxlMyCF0O4', 'msDMS2QKPl', 'dgeM0Su9Cd'
                          Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.3a259e0.2.raw.unpack, Vmtwl9Y9dRljbbaoBD.csHigh entropy of concatenated method names: 'jhflyj34U3', 's4TlSkYcrB', 'ehhlpjDojl', 'nxRl4ocOo1', 'v5blHKTm8L', 'rD1lT8ZfZg', 'IfblA8Bj5R', 'pCQlwQW5KD', 'I8LlYP8nFa', 'wcLl9s1N5Z'
                          Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.3a259e0.2.raw.unpack, aob4t2heYGD5OpupvU.csHigh entropy of concatenated method names: 'qV6QBZT0Xl', 'AKHQDJdKb5', 'vW4QG6bUx6', 'QhTQ8Col8g', 'IEOQ1qJOrr', 'VEHQqlOrHF', 'zMlQOQXna7', 'kKUQj1NGuy', 'Iy9QhZoUp8', 'lfJQaMwSuT'
                          Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.3a259e0.2.raw.unpack, Ka6k6Mwr0D0ucUCC1g.csHigh entropy of concatenated method names: 'Uq2ZFk6704', 'C8OZtT3Jfx', 'buJEP9ffhk', 'J8aEHsecFT', 'E67ETmZW1o', 'yxsEupVLqf', 'mcaEAuyaK6', 'vIDEwBR84W', 'JFsEoBZvLv', 'nsOEYCkhFs'
                          Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.3a259e0.2.raw.unpack, IYrgodMO50VvajIKYP.csHigh entropy of concatenated method names: 'xLhnpGvV9X', 'WEOn4T9TF1', 'MXAnPVCX1N', 'BpZnHqssl1', 'yCwnBitGBd', 'ALbnTQYQrZ', 'Next', 'Next', 'Next', 'NextBytes'
                          Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.3a259e0.2.raw.unpack, JQQ8G91OrsrY7GJHO0.csHigh entropy of concatenated method names: 'SgOerwAHlp', 'aMkeVLJipk', 'ToString', 'xAKeN92kLn', 'eQLeQWDH8w', 'SYheE1Rm6x', 'IDTeZ4SGqV', 'oTleLsqtSA', 'TFPektQOBT', 'ryMe21sfty'
                          Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.3a259e0.2.raw.unpack, jYviHnddrr0PJ0tP51h.csHigh entropy of concatenated method names: 'ToString', 'OHTJ6vIQOI', 'LS1Jix9nJE', 'YMjJs3nGEV', 'yyeJNkEDCh', 'LbLJQ50AVt', 'eelJESEWMc', 'HZpJZ8Dvk4', 'B92nhOo2c9lH05qiD75', 'LecFpRo6KiC0WXC2iuv'
                          Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.3a259e0.2.raw.unpack, DpOUlnkoIN9Lf7ghK2.csHigh entropy of concatenated method names: 'juVWk2B6pU', 'OA7W2NGb1o', 'I1lWr43bIa', 'F0WWVTIXuT', 'CXkW39sSKL', 't1tWX0g8qU', 'hG0PS83q47dhCY7jeT', 'VbkVZBT6oXepAISMd4', 'DDDWWmjZVE', 'nB7W6q9TcA'
                          Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.3a259e0.2.raw.unpack, k3RSvedZF8e4WY8RjHA.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'J4DJBVveI2', 'xjtJDUeSJH', 'wYxJGGj43m', 'XxSJ8wSELd', 'A87J14DWNx', 'EVMJqFgxqw', 'dArJOHQb01'
                          Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.3a259e0.2.raw.unpack, gUSEHEnBKjhn4ujvyO.csHigh entropy of concatenated method names: 'HGtEfVDiWJ', 'tKTE7bsDuD', 'rQTEy0JDXS', 'TfFESwGHLB', 'V0oE328SC2', 'eONEX2QEcB', 'z3vEeSc9cq', 'cUuEnTFEeT', 'pigEMWNvXl', 'h3tEJ8EUv8'
                          Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.3a259e0.2.raw.unpack, k55U5StuS7Zy5fosYf.csHigh entropy of concatenated method names: 'CcGkcbGHJH', 'so8kbAER6v', 'FJCk5OEAKT', 'o0wkfo9e0Z', 'De0kFyEK4n', 'lTak7PXEfL', 'uVIktNAKM7', 'nHukypPDS9', 'L43kSKseqo', 'FYgk02KkRm'
                          Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.3a259e0.2.raw.unpack, mcaRcvfNXqfY8LNXHm.csHigh entropy of concatenated method names: 'Dispose', 'kBiWhNGZ0e', 'npPC4lOVH8', 'htCII8fWAg', 'GCnWakeRCO', 'sd0Wz5Uf18', 'ProcessDialogKey', 'MHrCRHOYM8', 'vR1CWujLTb', 'eC0CCciZ8p'
                          Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.3a259e0.2.raw.unpack, uYVhrQaCKVqgV6fxij.csHigh entropy of concatenated method names: 'il5LsFpQa4', 'V3CLQBoHw5', 'MQILZRFDTv', 'DLZLkhWWkH', 'ljWL2aJZkh', 'z9bZ1ZdK8W', 'XvpZquVSNG', 'V3QZOvTPVR', 'X3nZjeNl3P', 'sO9ZhTwh3E'
                          Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.3a259e0.2.raw.unpack, oE46Ol8Efu3c0MYDGh.csHigh entropy of concatenated method names: 'bqv6sfddrk', 'i1M6NepbBV', 'ogd6Ql3lUD', 'Erk6E743hw', 'es76ZaVsf7', 'O8d6LpHxyr', 'Hej6koOPHv', 'LHn62eoA0h', 'DFx6KgraYL', 'YY66rlN8Vk'
                          Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.3a259e0.2.raw.unpack, plS6Ltr08cFW71LhNs.csHigh entropy of concatenated method names: 'V7iej0TqXl', 'RUBeaLe4m3', 'NqPnRBc5VU', 'IlNnWH6ZVi', 'xs0e9SCC1d', 'y43emytF8m', 'gUWexafiUH', 'PWGeBrtIsA', 'cOkeDV9PoE', 'lk0eGyd46P'
                          Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.3a259e0.2.raw.unpack, erBRkjxbU1T4atAV7u.csHigh entropy of concatenated method names: 'KM15iKvrG', 'VsnfKgilK', 'XuO7y0CZg', 'D1CtVicod', 'kPZSFraIH', 'bmh01UQI4', 'Q2IrEY5IDjbp8XIILu', 'E3RABX2Kqv8Ec4emSP', 'Asknsh8ok', 'YP6JZWVwM'
                          Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.3a259e0.2.raw.unpack, LNyn5VjGJTGPVJvtpV.csHigh entropy of concatenated method names: 'ToString', 'akHX9TDCYg', 'WJ9X4ajyYL', 'vBQXPw8ivV', 'eSpXH8ki0S', 'QHOXTGYqA1', 'YXcXuLxCQv', 'nXtXAtrBA7', 'SWMXwXtD6J', 'kuLXoiRCgs'
                          Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.3a259e0.2.raw.unpack, S2Pg5gAjEvxZ6e10mF.csHigh entropy of concatenated method names: 'FP1nN1gFff', 'TRcnQ0F4DN', 'TDZnER2FfR', 'xNxnZEZF04', 'WEinLqABbH', 'PP1nkya7Er', 'LuWn25KhOE', 'yjvnKfHjpD', 'fXInrCX8Ok', 'L5JnVjWPvm'
                          Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.3a259e0.2.raw.unpack, Pqya1HTwswL1L7khJx.csHigh entropy of concatenated method names: 'mIqkNcSSyB', 'IvvkEe2MB5', 'eRSkLH7QFK', 'SLcLaEFmsh', 'kfXLzaa2Zm', 'Ak1kRI0I8x', 'L71kW3prDR', 'BcckC1ndw6', 'akIk6LOyIZ', 'PTski8px54'
                          Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.4cd0000.4.raw.unpack, kD0JNdgNBriBGn5egS.csHigh entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
                          Source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.4cd0000.4.raw.unpack, QBy45BY4uMbUQs88Qq.csHigh entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
                          Source: 9.2.pnizSfmxsGVsXD.exe.2716f34.0.raw.unpack, kD0JNdgNBriBGn5egS.csHigh entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
                          Source: 9.2.pnizSfmxsGVsXD.exe.2716f34.0.raw.unpack, QBy45BY4uMbUQs88Qq.csHigh entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeFile created: \contract #u2116 kb #u2013 08152024 - 1.pif.exe
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeFile created: \contract #u2116 kb #u2013 08152024 - 1.pif.exe
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeFile created: \contract #u2116 kb #u2013 08152024 - 1.pif.exe
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeFile created: \contract #u2116 kb #u2013 08152024 - 1.pif.exeJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeFile created: \contract #u2116 kb #u2013 08152024 - 1.pif.exeJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeFile created: \contract #u2116 kb #u2013 08152024 - 1.pif.exeJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeFile created: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeJump to dropped file

                          Boot Survival

                          barindex
                          Uses schtasks.exe or at.exe to add and modify task schedules
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pnizSfmxsGVsXD" /XML "C:\Users\user\AppData\Local\Temp\tmpFABF.tmp"

                          Hooking and other Techniques for Hiding and Protection

                          barindex
                          Loading BitLocker PowerShell Module
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                          Malware Analysis System Evasion

                          barindex
                          Yara detected AntiVM3
                          Source: Yara matchFile source: Process Memory Space: Contract #U2116 KB #U2013 08152024 - 1.pif.exe PID: 432, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: pnizSfmxsGVsXD.exe PID: 7340, type: MEMORYSTR
                          Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                          Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeMemory allocated: A10000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeMemory allocated: 2750000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeMemory allocated: 25B0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeMemory allocated: 99C0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeMemory allocated: 6A30000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeMemory allocated: A9C0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeMemory allocated: B9C0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeMemory allocated: 1360000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeMemory allocated: 2F90000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeMemory allocated: 2DC0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeMemory allocated: F50000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeMemory allocated: 26E0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeMemory allocated: 46E0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeMemory allocated: 70D0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeMemory allocated: 80D0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeMemory allocated: 8270000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeMemory allocated: 9270000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeMemory allocated: E80000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeMemory allocated: 2BD0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeMemory allocated: 2A30000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5292Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4479Jump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeWindow / User API: threadDelayed 1641Jump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeWindow / User API: threadDelayed 1809Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeWindow / User API: threadDelayed 612Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeWindow / User API: threadDelayed 3499Jump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe TID: 4744Thread sleep time: -922337203685477s >= -30000sJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7276Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe TID: 7676Thread sleep time: -9223372036854770s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe TID: 7272Thread sleep time: -922337203685477s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe TID: 7400Thread sleep time: -922337203685477s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe TID: 7804Thread sleep time: -13835058055282155s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe TID: 7576Thread sleep time: -922337203685477s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000322B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                          Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000322B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003263000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655LR]q
                          Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000322B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2234682279.00000000043AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2234682279.00000000043AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2234682279.00000000043AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
                          Source: pnizSfmxsGVsXD.exe, 00000009.00000002.2170404608.0000000006AD6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2234682279.00000000043AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                          Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000322B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
                          Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000322B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2234682279.00000000043AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                          Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000322B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                          Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000322B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2234682279.00000000043AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2234682279.00000000043AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2234682279.00000000043AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2234682279.00000000043AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
                          Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000322B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2234682279.00000000043AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2234682279.00000000043AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                          Source: pnizSfmxsGVsXD.exe, 00000009.00000002.2170404608.0000000006AD6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Fp
                          Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000322B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                          Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000322B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2234682279.00000000043AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
                          Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000322B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2234682279.00000000043AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2234682279.00000000043AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                          Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000322B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2234682279.00000000043AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
                          Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000322B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2234682279.00000000043AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                          Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000322B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
                          Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000322B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                          Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000322B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2234682279.00000000043AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                          Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000322B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2234682279.00000000043AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                          Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000322B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2234682279.00000000043AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2234682279.00000000043AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2234682279.00000000043AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2234682279.00000000043AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2234682279.00000000043AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                          Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2250679526.0000000000D1C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2234682279.00000000043AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2234682279.00000000043AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
                          Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000322B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2234682279.00000000043AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2234682279.00000000043AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
                          Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000322B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
                          Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000322B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2234682279.00000000043AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                          Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000322B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2226945726.00000000011B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllo
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2234682279.00000000043AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2234682279.00000000043AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                          Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000322B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                          Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000322B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
                          Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000322B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                          Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000322B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                          Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000322B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
                          Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000322B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                          Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000322B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                          Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000322B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2234682279.00000000043AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                          Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.000000000322B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess information queried: ProcessInformationJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeCode function: 7_2_06DD7218 LdrInitializeThunk,7_2_06DD7218
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeMemory allocated: page read and write | page guardJump to behavior

                          HIPS / PFW / Operating System Protection Evasion

                          barindex
                          Adds a directory exclusion to Windows Defender
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe"
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe"Jump to behavior
                          Injects a PE file into a foreign processes
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeMemory written: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe base: 400000 value starts with: 4D5AJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe"Jump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pnizSfmxsGVsXD" /XML "C:\Users\user\AppData\Local\Temp\tmpFABF.tmp"Jump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeProcess created: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe "C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe"Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pnizSfmxsGVsXD" /XML "C:\Users\user\AppData\Local\Temp\tmpC43.tmp"Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeProcess created: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe "C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe"Jump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeQueries volume information: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeQueries volume information: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeQueries volume information: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeQueries volume information: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2226945726.00000000011B0000.00000004.00000020.00020000.00000000.sdmp, Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2248054631.0000000006576000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                          Stealing of Sensitive Information

                          barindex
                          Yara detected RedLine Stealer
                          Source: Yara matchFile source: dump.pcap, type: PCAP
                          Source: Yara matchFile source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.37ec758.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.3837978.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.37ec758.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 7.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.3837978.3.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000007.00000002.2226506822.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.2118443806.0000000003820000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.2118443806.000000000387A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.2118443806.0000000003759000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: Contract #U2116 KB #U2013 08152024 - 1.pif.exe PID: 432, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: Contract #U2116 KB #U2013 08152024 - 1.pif.exe PID: 7248, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: pnizSfmxsGVsXD.exe PID: 7548, type: MEMORYSTR
                          Found many strings related to Crypto-Wallets (likely being stolen)
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ElectrumE#
                          Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002D95000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $]q2C:\Users\user\AppData\Roaming\Electrum\wallets\*
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: JaxxE#
                          Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002D95000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.walletLR]q@j
                          Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002D95000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum\walletsLR]q
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ExodusE#
                          Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002D95000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $]q%appdata%`,]qdC:\Users\user\AppData\Roaming`,]qdC:\Users\user\AppData\Roaming\Binance
                          Source: Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: EthereumE#
                          Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002D95000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $]q&%localappdata%\Coinomi\Coinomi\walletsLR]q4H
                          Source: pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002D95000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $]q6C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
                          Tries to harvest and steal browser information (history, passwords, etc)
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                          Tries to steal Crypto Currency Wallets
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                          Source: C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                          Source: Yara matchFile source: 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000002.2254770469.0000000002D95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: Contract #U2116 KB #U2013 08152024 - 1.pif.exe PID: 7248, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: pnizSfmxsGVsXD.exe PID: 7548, type: MEMORYSTR

                          Remote Access Functionality

                          barindex
                          Yara detected RedLine Stealer
                          Source: Yara matchFile source: dump.pcap, type: PCAP
                          Source: Yara matchFile source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.37ec758.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.3837978.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.37ec758.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 7.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Contract #U2116 KB #U2013 08152024 - 1.pif.exe.3837978.3.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000007.00000002.2226506822.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.2118443806.0000000003820000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.2118443806.000000000387A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.2118443806.0000000003759000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: Contract #U2116 KB #U2013 08152024 - 1.pif.exe PID: 432, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: Contract #U2116 KB #U2013 08152024 - 1.pif.exe PID: 7248, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: pnizSfmxsGVsXD.exe PID: 7548, type: MEMORYSTR

                          Mitre Att&ck Matrix

                          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                          Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                          Windows Management Instrumentation                          		1
                          Scheduled Task/Job                          		111
                          Process Injection                          		1
                          Masquerading                          		1
                          OS Credential Dumping                          		1
                          Query Registry                          		Remote Services1
                          Archive Collected Data                          		1
                          Encrypted Channel                          		Exfiltration Over Other Network MediumAbuse Accessibility Features
                          CredentialsDomainsDefault Accounts1
                          Scheduled Task/Job                          		1
                          DLL Side-Loading                          		1
                          Scheduled Task/Job                          		11
                          Disable or Modify Tools                          		LSASS Memory331
                          Security Software Discovery                          		Remote Desktop Protocol3
                          Data from Local System                          		1
                          Non-Standard Port                          		Exfiltration Over BluetoothNetwork Denial of Service
                          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                          DLL Side-Loading                          		241
                          Virtualization/Sandbox Evasion                          		Security Account Manager1
                          Process Discovery                          		SMB/Windows Admin SharesData from Network Shared Drive1
                          Application Layer Protocol                          		Automated ExfiltrationData Encrypted for Impact
                          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                          Process Injection                          		NTDS241
                          Virtualization/Sandbox Evasion                          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
                          Obfuscated Files or Information                          		LSA Secrets1
                          Application Window Discovery                          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
                          Software Packing                          		Cached Domain Credentials1
                          File and Directory Discovery                          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                          Timestomp                          		DCSync113
                          System Information Discovery                          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                          DLL Side-Loading                          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                          Behavior Graph

                          Hide Legend

                          Legend:

                          • Process
                          • Signature
                          • Created File
                          • DNS/IP Info
                          • Is Dropped
                          • Is Windows Process
                          • Number of created Registry Values
                          • Number of created Files
                          • Visual Basic
                          • Delphi
                          • Java
                          • .Net C# or VB.NET
                          • C, C++ or other language
                          • Is malicious
                          • Internet
                          behaviorgraph top1 signatures2 2 Behavior Graph ID: 1517889 Sample: Contract #U2116 KB #U2013 0... Startdate: 25/09/2024 Architecture: WINDOWS Score: 100 43 Suricata IDS alerts for network traffic 2->43 45 Found malware configuration 2->45 47 Sigma detected: Scheduled temp file as task from temp location 2->47 49 12 other signatures 2->49 7 pnizSfmxsGVsXD.exe 5 2->7         started        10 Contract #U2116 KB #U2013 08152024 - 1.pif.exe 7 2->10         started        process3 file4 51 Multi AV Scanner detection for dropped file 7->51 53 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->53 55 Machine Learning detection for dropped file 7->55 59 2 other signatures 7->59 13 pnizSfmxsGVsXD.exe 5 2 7->13         started        16 schtasks.exe 1 7->16         started        33 C:\Users\user\AppData\...\pnizSfmxsGVsXD.exe, PE32 10->33 dropped 35 C:\...\pnizSfmxsGVsXD.exe:Zone.Identifier, ASCII 10->35 dropped 37 C:\Users\user\AppData\Local\...\tmpFABF.tmp, XML 10->37 dropped 39 Contract #U2116 KB...024 - 1.pif.exe.log, ASCII 10->39 dropped 57 Adds a directory exclusion to Windows Defender 10->57 18 Contract #U2116 KB #U2013 08152024 - 1.pif.exe 5 3 10->18         started        21 powershell.exe 21 10->21         started        23 schtasks.exe 1 10->23         started        signatures5 process6 dnsIp7 61 Found many strings related to Crypto-Wallets (likely being stolen) 13->61 63 Tries to harvest and steal browser information (history, passwords, etc) 13->63 65 Tries to steal Crypto Currency Wallets 13->65 25 conhost.exe 16->25         started        41 141.98.10.33, 1912, 49708, 49710 HOSTBALTICLT Lithuania 18->41 67 Loading BitLocker PowerShell Module 21->67 27 WmiPrvSE.exe 21->27         started        29 conhost.exe 21->29         started        31 conhost.exe 23->31         started        signatures8 process9

                          Screenshots

                          Thumbnails

                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                          windows-stand

                          Antivirus, Machine Learning and Genetic Malware Detection

                          Initial Sample

                          SourceDetectionScannerLabelLink
                          Contract #U2116 KB #U2013 08152024 - 1.pif.exe55%ReversingLabsWin32.Infostealer.LokiBot
                          Contract #U2116 KB #U2013 08152024 - 1.pif.exe100%Joe Sandbox ML

                          Dropped Files

                          SourceDetectionScannerLabelLink
                          C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe55%ReversingLabsWin32.Infostealer.LokiBot

                          Unpacked PE Files

                          No Antivirus matches

                          Domains

                          No Antivirus matches

                          URLs

                          SourceDetectionScannerLabelLink
                          https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
                          https://duckduckgo.com/ac/?q=0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                          https://api.ip.sb/ip0%URL Reputationsafe
                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
                          https://www.ecosia.org/newtab/0%URL Reputationsafe
                          http://tempuri.org/Entity/Id23ResponseD0%Avira URL Cloudsafe
                          http://tempuri.org/0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2005/02/sc/sct0%Avira URL Cloudsafe
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id21Response0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha10%Avira URL Cloudsafe
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id12Response0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/soap/envelope/0%URL Reputationsafe
                          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                          http://tempuri.org/Entity/Id2Response0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id90%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id80%Avira URL Cloudsafe
                          http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id40%Avira URL Cloudsafe
                          http://purl.oen0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id50%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id70%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id60%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id19Response0%Avira URL Cloudsafe
                          http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/fault0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id15Response0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2004/10/wsat0%Avira URL Cloudsafe
                          http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id6Response0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2004/04/sc0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id1ResponseD0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id9Response0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel0%Avira URL Cloudsafe
                          http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA10%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id200%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id220%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id210%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA10%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id230%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id240%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id24Response0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id1Response0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego0%Avira URL Cloudsafe
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2004/08/addressing0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2004/04/trust0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id120%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id16Response0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id100%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id110%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id130%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id150%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id140%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id160%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id170%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id180%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id190%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id5Response0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id10Response0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2005/02/trust/Renew0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id8Response0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey0%Avira URL Cloudsafe
                          http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.00%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT0%Avira URL Cloudsafe
                          http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2006/02/addressingidentity0%Avira URL Cloudsafe
                          http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA10%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2005/02/trust0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id23Response0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id3ResponseD0%Avira URL Cloudsafe
                          http://tempuri.org/D0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT0%Avira URL Cloudsafe

                          Domains and IPs

                          Contacted Domains

                          No contacted domains info

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/sc/sctContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://duckduckgo.com/chrome_newtabpnizSfmxsGVsXD.exe, 0000000C.00000002.2264212080.0000000003C0B000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://duckduckgo.com/ac/?q=pnizSfmxsGVsXD.exe, 0000000C.00000002.2264212080.0000000003C0B000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/Entity/Id23ResponseDContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003420000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id12ResponseContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id2ResponseContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id21ResponseContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id9Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id8Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id5Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/PrepareContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id4Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id7Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://purl.oenContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2228781019.000000000161E000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id6Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id19ResponseContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenseContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/faultContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsatContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id15ResponseContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000000.00000002.2117587357.00000000027A2000.00000004.00000800.00020000.00000000.sdmp, Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 00000009.00000002.2167015302.0000000002737000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id6ResponseContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://api.ip.sb/ipContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000000.00000002.2118443806.000000000387A000.00000004.00000800.00020000.00000000.sdmp, Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000000.00000002.2118443806.0000000003820000.00000004.00000800.00020000.00000000.sdmp, Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000000.00000002.2118443806.0000000003759000.00000004.00000800.00020000.00000000.sdmp, Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2226506822.0000000000402000.00000040.00000400.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/scContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id1ResponseDContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id9ResponseContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=pnizSfmxsGVsXD.exe, 0000000C.00000002.2264212080.0000000003C0B000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/Entity/Id20Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id21Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id22Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id23Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id24Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssueContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id24ResponseContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.ecosia.org/newtab/pnizSfmxsGVsXD.exe, 0000000C.00000002.2264212080.0000000003C0B000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/Entity/Id1ResponseContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplayContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinaryContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/08/addressingContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/trustContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id10Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id11Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id12Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id16ResponseContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id13Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id14Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id15Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id16Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust/NonceContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id17Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id18Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id5ResponseContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id19Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id10ResponseContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RenewContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id8ResponseContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2006/02/addressingidentityContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/soap/envelope/Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKeyContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=pnizSfmxsGVsXD.exe, 0000000C.00000002.2264212080.0000000003C0B000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trustContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/RollbackContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id3ResponseDContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003420000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id23ResponseContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, Contract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCTContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/DContract #U2116 KB #U2013 08152024 - 1.pif.exe, 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, pnizSfmxsGVsXD.exe, 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          141.98.10.33
                          		unknownLithuania
                          		209605HOSTBALTICLTtrue

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1517889
                          Start date and time:2024-09-25 08:46:10 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 7m 30s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:15
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:Contract #U2116 KB #U2013 08152024 - 1.pif.exe
                          renamed because original name is a hash value
                          Original Sample Name:Contract KB 08152024 - 1.pif.exe
                          Detection:MAL
                          Classification:mal100.troj.spyw.evad.winEXE@16/11@0/1
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 100%
                          • Number of executed functions: 240
                          • Number of non-executed functions: 6
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                          • Report size getting too big, too many NtCreateKey calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                          • VT rate limit hit for: Contract #U2116 KB #U2013 08152024 - 1.pif.exe

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          02:47:03API Interceptor23x Sleep call for process: Contract #U2116 KB #U2013 08152024 - 1.pif.exe modified
                          02:47:05API Interceptor21x Sleep call for process: powershell.exe modified
                          02:47:08API Interceptor24x Sleep call for process: pnizSfmxsGVsXD.exe modified
                          08:47:07Task SchedulerRun new task: pnizSfmxsGVsXD path: C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe

                          Joe Sandbox View / Context

                          IPs

                          No context

                          Domains

                          No context

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          HOSTBALTICLTPRODUCT OVERVIEW.docGet hashmaliciousUnknownBrowse
                          • 141.98.10.11
                          tppc.elfGet hashmaliciousUnknownBrowse
                          • 141.98.10.95
                          sarm6.elfGet hashmaliciousMiraiBrowse
                          • 141.98.10.95
                          TRIAL IMG_00O0125RDER.exeGet hashmaliciousFormBook, GuLoaderBrowse
                          • 141.98.10.120
                          1316wjL1Ep.elfGet hashmaliciousUnknownBrowse
                          • 141.98.10.95
                          17213054441f2891f24374c97759e4ac14183d6cfaeabe4240dc8794e61fa899b9e40b62fb429.dat-decoded.exeGet hashmaliciousRemcosBrowse
                          • 141.98.10.11
                          Demand G2-2024.xlsxGet hashmaliciousFormBookBrowse
                          • 141.98.10.47
                          171232524570452cfc1123de8b7cabf91834cbebe0e4fd1dae96e0b4418fab427bf67de7f5439.dat-decoded.exeGet hashmaliciousRisePro StealerBrowse
                          • 141.98.10.48
                          1712325246bbbf6f1de2af242e599680d3f96095835a7a7584ff1f1f967e4c2d3f319cbbe6606.dat-decoded.exeGet hashmaliciousPrivateLoader, RisePro StealerBrowse
                          • 141.98.10.48
                          171232524570452cfc1123de8b7cabf91834cbebe0e4fd1dae96e0b4418fab427bf67de7f5439.dat-decoded.exeGet hashmaliciousRisePro StealerBrowse
                          • 141.98.10.48

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Contract #U2116 KB #U2013 08152024 - 1.pif.exe.log

                          Download File
                          Process:C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):1216
                          Entropy (8bit):5.34331486778365
                          Encrypted:false
                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                          Malicious:true
                          Reputation:high, very likely benign file
                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\pnizSfmxsGVsXD.exe.log

                          Download File
                          Process:C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):1216
                          Entropy (8bit):5.34331486778365
                          Encrypted:false
                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                          Malicious:false
                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                          Download File
                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):2232
                          Entropy (8bit):5.380805901110357
                          Encrypted:false
                          SSDEEP:48:lylWSU4xympjgZ9tz4RIoUl8NPZHUl7u1iMuge//Zf0Uyus:lGLHxvCZfIfSKRHmOugo1s
                          MD5:8AFD9DE8DAD3114D1703D05199399792
                          SHA1:FEA2B19F65A6E2E8AFFC87DA1CAC209224CE4EFA
                          SHA-256:9D17F49349746FB07E14428CB62BAC287FFA3B95870BAD51318835722D5A208F
                          SHA-512:5873EA9AFFE37603BF0E32D098DC270D5054A04CAC55300CD4E582ECF08C12D6BD845F7F6169814480888C56603DD86D27336B25C65386DE7BB65C4650E977EA
                          Malicious:false
                          Preview:@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0vk1iw1y.ahk.ps1

                          Download File
                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fosrrkmq.4q5.ps1

                          Download File
                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jjgnn4id.djb.psm1

                          Download File
                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t4uzyaul.hl5.psm1

                          Download File
                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\tmpC43.tmp

                          Download File
                          Process:C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe
                          File Type:XML 1.0 document, ASCII text
                          Category:dropped
                          Size (bytes):1587
                          Entropy (8bit):5.112421048230427
                          Encrypted:false
                          SSDEEP:24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtKxvn:cgergYrFdOFzOzN33ODOiDdKrsuTev
                          MD5:E44CDFE86BF51CECF6CAB6CB79DFD277
                          SHA1:9F0EBC0079086DEB3F32E9E2E5658FDFBB2AE728
                          SHA-256:6A2F757C04C28B78D0F8BC5CA64CAFCCB11A7963E8C06832706824424C550638
                          SHA-512:3D16399C0DF920C20DAE2EE2414DAF6162B69277966BBC479CCA14A2F9041C93BCCD6D43D9557AA3AE806948CBF4AA00E0DC9EB4DC07A924D924830216F7DE66
                          Malicious:false
                          Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                          C:\Users\user\AppData\Local\Temp\tmpFABF.tmp

                          Download File
                          Process:C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe
                          File Type:XML 1.0 document, ASCII text
                          Category:dropped
                          Size (bytes):1587
                          Entropy (8bit):5.112421048230427
                          Encrypted:false
                          SSDEEP:24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtKxvn:cgergYrFdOFzOzN33ODOiDdKrsuTev
                          MD5:E44CDFE86BF51CECF6CAB6CB79DFD277
                          SHA1:9F0EBC0079086DEB3F32E9E2E5658FDFBB2AE728
                          SHA-256:6A2F757C04C28B78D0F8BC5CA64CAFCCB11A7963E8C06832706824424C550638
                          SHA-512:3D16399C0DF920C20DAE2EE2414DAF6162B69277966BBC479CCA14A2F9041C93BCCD6D43D9557AA3AE806948CBF4AA00E0DC9EB4DC07A924D924830216F7DE66
                          Malicious:true
                          Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                          C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe

                          Download File
                          Process:C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe
                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):710144
                          Entropy (8bit):7.8441514584531875
                          Encrypted:false
                          SSDEEP:12288:Ur8bQbPIcS3q/Uq2hI/gQiL6IwcYtcH5YIoj8b4fGW3OUnrCq57akvWXWjN:UcIZS3Fq2hhG7JaCH3hnz5RX
                          MD5:0D691A633BEEE6186B92C949B1D517EC
                          SHA1:9FDBBFE61D00C5A665B2ECBB289911174D398B3A
                          SHA-256:5AE089CF078DDD0DE067269CC5B8334998C0BB38C7ABD508733D51E79D8A792E
                          SHA-512:D6AAFEBB29A212F3DA9743FD8FBFB8095D7E17A6297C82A867F0BCDD86E9A04E6740BBD4D65AAE411135D3218F5BB31DC5FE8CDC3E7AF349F1DA3B43EC221D74
                          Malicious:true
                          Antivirus:
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: ReversingLabs, Detection: 55%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....{...............0.................. ........@.. .......................@............@.................................i...O....... .................... ......d...p............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc....... ......................@..B........................H........C...8......8....|...Z............................................{....*.0............{.....+..*.0............{.....+..*..(........}......}......d}......}....*..0..&..........{.....X}.....k"..HBZ.{....k[...+..*..s0...}......}.....(.......(.....*b..{....o....r...po....&*...0............{.....{....o....o#.....{.....{....o....o%.....{.....{....o....-.r...p+.rO..po'.....{....o......,..{....r{..po)....+3.{....o......,..{....r...po)....+..{....r...po).....{.....{....o....o.

                          C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe:Zone.Identifier

                          Download File
                          Process:C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):26
                          Entropy (8bit):3.95006375643621
                          Encrypted:false
                          SSDEEP:3:ggPYV:rPYV
                          MD5:187F488E27DB4AF347237FE461A079AD
                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                          Malicious:true
                          Preview:[ZoneTransfer]....ZoneId=0

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Entropy (8bit):7.8441514584531875
                          TrID:
                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                          • Win32 Executable (generic) a (10002005/4) 49.78%
                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                          • Generic Win/DOS Executable (2004/3) 0.01%
                          • DOS Executable Generic (2002/1) 0.01%
                          File name:Contract #U2116 KB #U2013 08152024 - 1.pif.exe
                          File size:710'144 bytes
                          MD5:0d691a633beee6186b92c949b1d517ec
                          SHA1:9fdbbfe61d00c5a665b2ecbb289911174d398b3a
                          SHA256:5ae089cf078ddd0de067269cc5b8334998c0bb38c7abd508733d51e79d8a792e
                          SHA512:d6aafebb29a212f3da9743fd8fbfb8095d7e17a6297c82a867f0bcdd86e9a04e6740bbd4d65aae411135d3218f5bb31dc5fe8cdc3e7af349f1da3b43ec221d74
                          SSDEEP:12288:Ur8bQbPIcS3q/Uq2hI/gQiL6IwcYtcH5YIoj8b4fGW3OUnrCq57akvWXWjN:UcIZS3Fq2hhG7JaCH3hnz5RX
                          TLSH:EFE402113699C20AC4E10BF40532D6F86BB91D8DA822D3075FDABDEFBD797011A4179B
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....{...............0.................. ........@.. .......................@............@................................

                          File Icon

                          Icon Hash:00928e8e8686b000

                          Static PE Info

                          General

                          Entrypoint:0x4ae9be
                          Entrypoint Section:.text
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Time Stamp:0xB47BDC83 [Mon Dec 14 11:37:39 2065 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:4
                          OS Version Minor:0
                          File Version Major:4
                          File Version Minor:0
                          Subsystem Version Major:4
                          Subsystem Version Minor:0
                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                          Entrypoint Preview

                          Instruction
                          jmp dword ptr [00402000h]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0xae9690x4f.text
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xb00000x620.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xb20000xc.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0xad7640x70.text
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x20000xac9c40xaca0040451b7a17624cf09ad50b5b17f636e2False0.9350264188088342data7.853179629516152IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .rsrc0xb00000x6200x80057a4b2b832fd7d3ce8b7c9181e872f83False0.33544921875data3.441006657295053IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .reloc0xb20000xc0x20071737e39931b46ddd3e8c350b801b275False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountryZLIB Complexity
                          RT_VERSION0xb00900x390data0.4243421052631579
                          RT_MANIFEST0xb04300x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                          Imports

                          DLLImport
                          mscoree.dll_CorExeMain

                          Network Behavior

                          Suricata IDS Alerts

                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                          2024-09-25T08:47:10.973037+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.549708141.98.10.331912TCP
                          2024-09-25T08:47:10.973037+02002046045ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)1192.168.2.549708141.98.10.331912TCP
                          2024-09-25T08:47:11.177939+02002043234ET MALWARE Redline Stealer TCP CnC - Id1Response1141.98.10.331912192.168.2.549708TCP
                          2024-09-25T08:47:13.113522+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.549710141.98.10.331912TCP
                          2024-09-25T08:47:13.113522+02002046045ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)1192.168.2.549710141.98.10.331912TCP
                          2024-09-25T08:47:13.315234+02002043234ET MALWARE Redline Stealer TCP CnC - Id1Response1141.98.10.331912192.168.2.549710TCP
                          2024-09-25T08:47:16.577889+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.549708141.98.10.331912TCP
                          2024-09-25T08:47:18.484266+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.549710141.98.10.331912TCP
                          2024-09-25T08:47:18.623727+02002046056ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)1141.98.10.331912192.168.2.549708TCP
                          2024-09-25T08:47:19.901636+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.549708141.98.10.331912TCP
                          2024-09-25T08:47:20.135749+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.549708141.98.10.331912TCP
                          2024-09-25T08:47:21.279917+02002046056ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)1141.98.10.331912192.168.2.549710TCP
                          2024-09-25T08:47:22.250549+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.549710141.98.10.331912TCP
                          2024-09-25T08:47:22.483812+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.549710141.98.10.331912TCP

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Sep 25, 2024 08:47:10.207073927 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:10.212403059 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:10.212492943 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:10.223020077 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:10.227869987 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:10.893198013 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:10.932966948 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:10.973037004 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:10.977938890 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:11.177938938 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:11.229863882 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:12.404455900 CEST497101912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:12.416039944 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:12.416168928 CEST497101912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:12.425245047 CEST497101912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:12.447241068 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:13.079813004 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:13.113522053 CEST497101912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:13.119508028 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:13.315233946 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:13.432960033 CEST497101912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:16.577888966 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:16.582873106 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:16.883378983 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:16.883486032 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:16.883502007 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:16.883517981 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:16.883536100 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:16.883538961 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:16.883605003 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:16.932969093 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.456497908 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.484266043 CEST497101912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.623727083 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.623811960 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.624083042 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.624150038 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.624290943 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.624305010 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.624324083 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.624336004 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.624372959 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.624393940 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.624393940 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.624438047 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.624491930 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.624505043 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.624527931 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.624542952 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.624548912 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.624574900 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.624591112 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.624993086 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.628732920 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.628787994 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.628793955 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.628843069 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.629077911 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.629144907 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.629179955 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.629193068 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.629226923 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.629230022 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.629240990 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.629245043 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.629276037 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.629281044 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.629292965 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.629297972 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.629363060 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.629832029 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.629859924 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.629873991 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.629892111 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.629910946 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.629935026 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.630017042 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.630081892 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.633757114 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.633816004 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.633822918 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.633872986 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.634150982 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.634179115 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.634192944 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.634237051 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.634241104 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.634272099 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.634291887 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.634320021 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.634358883 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.634432077 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.634449005 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.634469032 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.634481907 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.634488106 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.634496927 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.634500980 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.634527922 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.634555101 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.634598970 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.634674072 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.634736061 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.634752989 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.634778976 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.634799957 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.634830952 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.634855032 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.634884119 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.634896994 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.634953976 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.634968042 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.634991884 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.634999990 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.635006905 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.635015011 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.635037899 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.635054111 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.635062933 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.635067940 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.635085106 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.635102034 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.635129929 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.635133028 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.635175943 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.635211945 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.635225058 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.635241985 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.635251999 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.635268927 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.635283947 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.638581038 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.638633966 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.638950109 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.638962984 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.639008045 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.639043093 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.639101028 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.639117002 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.639122963 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.639128923 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.639133930 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.639138937 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.639156103 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.639239073 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.639945030 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.639961958 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.639998913 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.640000105 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.640012980 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.640027046 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.640041113 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.640054941 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.640068054 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.640080929 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.640094995 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.640106916 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.640121937 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.640134096 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.640146017 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.640158892 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.640172958 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.640186071 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.640199900 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.640212059 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.640224934 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.640239000 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.640252113 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.640264988 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.640276909 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.640290022 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.640302896 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.640317917 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.640350103 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.640367031 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.640379906 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.640392065 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.640403986 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.640417099 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.640429974 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.640444040 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.640456915 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.640470028 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.640484095 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.640496016 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.640508890 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.640523911 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.640537977 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.640549898 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.640563011 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.640701056 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.640778065 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.641856909 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.642003059 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.642014980 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.642030954 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.642043114 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.642055988 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.642069101 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.642122984 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.642134905 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.642160892 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.642179966 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.642193079 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.642205000 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.642218113 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.642230988 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.642244101 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.642257929 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.643434048 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.643542051 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.643779039 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.643878937 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.643892050 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.644038916 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.644052982 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.644077063 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.644104958 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.644118071 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.644143105 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.644155025 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.644629955 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.644711971 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.644725084 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.644789934 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.644802094 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.644817114 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.645356894 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.645458937 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.645601034 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.645613909 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.645693064 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.645762920 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.646902084 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.646919012 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.646931887 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.646945953 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.646960020 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.646971941 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.646985054 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.646997929 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.647011042 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.647023916 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.647036076 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.647048950 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.647062063 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.647074938 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.647089005 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.647100925 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.647113085 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.647130966 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.647144079 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.647156000 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.647170067 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.647182941 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.647195101 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.647217989 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.647239923 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.647263050 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.647275925 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.647288084 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.647305012 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.647317886 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.647330046 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.647342920 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.647355080 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.647371054 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.647372007 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.647397995 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.647413015 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.647424936 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.647438049 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.647449970 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.647463083 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.647479057 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.647480011 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.647485971 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.647499084 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.647511959 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.647525072 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.647536993 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.647552013 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.647564888 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.647579908 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.652460098 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.652482033 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.652497053 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.652509928 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.652537107 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.652549982 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.652569056 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.652587891 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.652601004 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.652614117 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.652626991 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.652638912 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.652664900 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.652678013 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.652693033 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.652709007 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.652714968 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.652715921 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.652719975 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.652724981 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.652729988 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.652743101 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.652781963 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.652795076 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.652806997 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.652821064 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.652834892 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.652857065 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.652868986 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.652880907 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.652894020 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.652906895 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.652919054 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.652944088 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.652957916 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.652970076 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.652982950 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.652997017 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.653009892 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.653017044 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.653022051 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.653034925 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.653048992 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.653063059 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.653079033 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.653095961 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.653096914 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.653110027 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.653121948 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.653135061 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.653147936 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.653161049 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.653172970 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.653186083 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.653198957 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.657927990 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.658063889 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.658077002 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.658088923 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.658099890 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.658135891 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.658145905 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.658150911 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.658164024 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.658179045 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.658191919 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.658205986 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.658215046 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.658219099 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.658252001 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.658266068 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.658279896 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.658293962 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.658307076 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.658319950 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.658334017 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.658348083 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.658360004 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.658375025 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.658404112 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.658416986 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.658428907 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.658442020 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.658456087 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.658468008 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.658493996 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.658505917 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.658519030 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.658533096 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.658559084 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.658571005 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.658582926 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.658596039 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.658608913 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.658622026 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.658653975 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.658659935 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.658668995 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.658674955 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.658679962 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.658683062 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.658684015 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.658684015 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.658689022 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.658701897 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.658715010 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.658727884 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.658751965 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.658763885 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.658776045 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.663536072 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.663564920 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.663578033 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.663589954 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.663635969 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.663647890 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.663697004 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.663710117 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.663727045 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.663739920 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.663764000 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.663768053 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.663775921 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.663822889 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.663836002 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.663849115 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.663851023 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.663866043 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.663892984 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.663904905 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.663918018 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.663933039 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.663976908 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.664001942 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.664016962 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.664028883 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.664041042 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.664055109 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.664082050 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.664094925 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.664108038 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.664119959 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.664132118 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.664144993 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.664159060 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.664171934 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.664186001 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.664199114 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.664225101 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.664237022 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.664251089 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.664266109 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.664278030 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.664292097 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.664304972 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.664318085 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.664330959 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.664344072 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.664356947 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.664371014 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.664386988 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.664407015 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.664422989 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.664438009 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.664450884 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.669260979 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.669275999 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.669313908 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.669327021 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.669344902 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.669358015 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.669363976 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.669378042 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.669390917 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.669401884 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.669429064 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.669441938 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.669454098 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.669476986 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.669488907 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.669490099 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.669512033 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.669528008 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.669540882 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.669553995 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.669559956 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.669568062 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.669595003 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.669608116 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.669621944 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.669634104 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.669646978 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.669661999 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.669688940 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.669703007 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.669717073 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.669733047 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.669750929 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.669753075 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.669754028 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.669764996 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.669770956 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.669789076 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.669801950 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.669814110 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.710866928 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.711184978 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.711297989 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.711297989 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.711342096 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.720758915 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.820779085 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.820807934 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.820825100 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.820842028 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.820858955 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.820863008 CEST497101912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:18.820874929 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:18.820920944 CEST497101912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:19.900928020 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:19.901635885 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:19.906547070 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:20.106885910 CEST191249708141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:20.135749102 CEST497081912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:21.274491072 CEST497101912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:21.279917002 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.279931068 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.279949903 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.279959917 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.279968023 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.279975891 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.279979944 CEST497101912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:21.280008078 CEST497101912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:21.280078888 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.280087948 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.280098915 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.280106068 CEST497101912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:21.280152082 CEST497101912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:21.285031080 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.285186052 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.285263062 CEST497101912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:21.285305977 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.285315037 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.285324097 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.285335064 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.285337925 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.285362959 CEST497101912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:21.285379887 CEST497101912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:21.290504932 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.290678978 CEST497101912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:21.290915966 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.291032076 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.291042089 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.291049957 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.291059971 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.291096926 CEST497101912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:21.291160107 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.291168928 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.291218996 CEST497101912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:21.296336889 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.296348095 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.296359062 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.296366930 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.296437979 CEST497101912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:21.296838999 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.296988010 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.296997070 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.297004938 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.297014952 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.297018051 CEST497101912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:21.297142982 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.297168016 CEST497101912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:21.297271967 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.297281027 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.297285080 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.297288895 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.297384977 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.297394037 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.297401905 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.297414064 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.297424078 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.297482967 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.297492981 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.297502041 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.297509909 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.297518969 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.297612906 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.297621012 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.297625065 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.297627926 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.297631025 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.297682047 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.297691107 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.297702074 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.297740936 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.297832012 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.297846079 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.297856092 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.297868013 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.297879934 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.297960043 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.297969103 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.297980070 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.297991037 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.298170090 CEST497101912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:21.298228979 CEST497101912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:21.301948071 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.301958084 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.301965952 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.301975012 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.301983118 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.301991940 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.302000999 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.302015066 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.302023888 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.302069902 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.302078962 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.302088976 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.302097082 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.302220106 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.302228928 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.302377939 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.302387953 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.302937984 CEST497101912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:21.303005934 CEST497101912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:21.303436041 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.303446054 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.303456068 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.303558111 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.303566933 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.303575993 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.303699970 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.303709030 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.303716898 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.303725958 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.303832054 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.303842068 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.303853035 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.303862095 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.303919077 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.303926945 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.303935051 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.303945065 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.303955078 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.303963900 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.304035902 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.304045916 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.304056883 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.304064989 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.304074049 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.304083109 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.304163933 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.304173946 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.304182053 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.304192066 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.304199934 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.304289103 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.304296970 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.304305077 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.304316998 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.304327011 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.304335117 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.304343939 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.304389954 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.304399014 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.304406881 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.304416895 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.304425955 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.304435015 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.304444075 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.304451942 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.304528952 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.304538012 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.304672956 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.304682970 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.304691076 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.304699898 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.304708958 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.304718018 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.306256056 CEST497101912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:21.306301117 CEST497101912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:21.308243990 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.308254004 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.308263063 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.308274031 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.308283091 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.308295965 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.308365107 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.308465958 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.308476925 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.308486938 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.308495998 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.308576107 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.308584929 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.308593035 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.308602095 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.308609962 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.308619022 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.308703899 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.308712959 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.308721066 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.308732033 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.308969975 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.308979988 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.308989048 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.308999062 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.309006929 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.309016943 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.309026957 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.309079885 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.309089899 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.309098959 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.309108019 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.309115887 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.309125900 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.309134960 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.309199095 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.309202909 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.309211969 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.309221983 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.309230089 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.309238911 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.309357882 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.309367895 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.309377909 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.309387922 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.309473038 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.309483051 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.309490919 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.309499979 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.309509039 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.309519053 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.309528112 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.309536934 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.311685085 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.311686993 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.311691999 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.311693907 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.311739922 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.311748981 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.311758995 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.311769009 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.311780930 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.311790943 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.311800003 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.311857939 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.311866999 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.311876059 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.311886072 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.311894894 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.311904907 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.311949015 CEST497101912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:21.311968088 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.311976910 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.311985970 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.311995029 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.312009096 CEST497101912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:21.312082052 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.312091112 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.312098980 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.312109947 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.312119007 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.312128067 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.312212944 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.312222004 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.312230110 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.312239885 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.312293053 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.312302113 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.312310934 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.312319994 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.312376976 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.312386036 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.312396049 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.312405109 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.312413931 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.312423944 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.312433004 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.312443018 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.312452078 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.312460899 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.312511921 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.312520981 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.312529087 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.312537909 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.312678099 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.312689066 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.312691927 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.312700987 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.317208052 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.317209959 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.317214966 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.317219973 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.317225933 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.317230940 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.317310095 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.317320108 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.317413092 CEST497101912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:21.317455053 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.317466021 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.317468882 CEST497101912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:21.317531109 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.317540884 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.317549944 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.317559958 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.317569017 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.317578077 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.317605972 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.317624092 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.317632914 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.317641973 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.317651033 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.317673922 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.317687035 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.317697048 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.317707062 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.317715883 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.317723989 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.317733049 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.317743063 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.317753077 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.317761898 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.317770958 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.317780018 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.317789078 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.317797899 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.317809105 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.317817926 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.317826986 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.317837000 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.317847013 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.317866087 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.317874908 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.317883968 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.317893982 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.317902088 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.317910910 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.317919970 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.317929029 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.317938089 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.317949057 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.317958117 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.317966938 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.317975998 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.323303938 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.323323011 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.323333025 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.323559999 CEST497101912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:21.323612928 CEST497101912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:21.323620081 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.323630095 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.324043036 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.324062109 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.324070930 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.324191093 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.324373007 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.324531078 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.324645042 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.324664116 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.324673891 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.324682951 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.324692965 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.324703932 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.324712992 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.324723005 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.324742079 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.324749947 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.324759960 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.324769020 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.324784040 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.324793100 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.324807882 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.324810028 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.324815035 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.324820995 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.324825048 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.325026035 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.325258017 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.325265884 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.325275898 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.325295925 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.325305939 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.325314045 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.325324059 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.325331926 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.325342894 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.325351000 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.325361967 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.325371027 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.325381041 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.325388908 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.325397968 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.325407982 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.325426102 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.325434923 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.325443983 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.325453043 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.325462103 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.325470924 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.328393936 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.328447104 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.328455925 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.328478098 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.328488111 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.328501940 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.328511000 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.328551054 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.328561068 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.328569889 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.328705072 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.328716040 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.328735113 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.328744888 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.328788042 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.328797102 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.328809023 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.328818083 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.328870058 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.328879118 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.328902960 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.328915119 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.328926086 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.328943968 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.328953981 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.328963041 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.328983068 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.328991890 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.329056978 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.329072952 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.329091072 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.329099894 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.329117060 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.329127073 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.329135895 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.332740068 CEST497101912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:21.332798958 CEST497101912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:21.366667986 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.368166924 CEST497101912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:21.368278980 CEST497101912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:21.368278980 CEST497101912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:21.368319035 CEST497101912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:21.374176025 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.374187946 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.374212980 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.374222040 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.374231100 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.374242067 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.374313116 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.374322891 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.374344110 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.374352932 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.374361992 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.374372005 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.374382973 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.374402046 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.374412060 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.374419928 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.374439955 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.374449015 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.374516964 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.374526978 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.374552965 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.374572039 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.374605894 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.374614954 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.374634027 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.374641895 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:21.399183989 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:22.249619007 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:22.250549078 CEST497101912192.168.2.5141.98.10.33
                          Sep 25, 2024 08:47:22.255528927 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:22.451536894 CEST191249710141.98.10.33192.168.2.5
                          Sep 25, 2024 08:47:22.483812094 CEST497101912192.168.2.5141.98.10.33

                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:0
                          Start time:02:47:02
                          Start date:25/09/2024
                          Path:C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe"
                          Imagebase:0x200000
                          File size:710'144 bytes
                          MD5 hash:0D691A633BEEE6186B92C949B1D517EC
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2118443806.0000000003820000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2118443806.000000000387A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2118443806.0000000003759000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:3
                          Start time:02:47:04
                          Start date:25/09/2024
                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe"
                          Imagebase:0x620000
                          File size:433'152 bytes
                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:4
                          Start time:02:47:05
                          Start date:25/09/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:5
                          Start time:02:47:05
                          Start date:25/09/2024
                          Path:C:\Windows\SysWOW64\schtasks.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pnizSfmxsGVsXD" /XML "C:\Users\user\AppData\Local\Temp\tmpFABF.tmp"
                          Imagebase:0x5f0000
                          File size:187'904 bytes
                          MD5 hash:48C2FE20575769DE916F48EF0676A965
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:6
                          Start time:02:47:05
                          Start date:25/09/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:7
                          Start time:02:47:05
                          Start date:25/09/2024
                          Path:C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\Contract #U2116 KB #U2013 08152024 - 1.pif.exe"
                          Imagebase:0xa90000
                          File size:710'144 bytes
                          MD5 hash:0D691A633BEEE6186B92C949B1D517EC
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000007.00000002.2226506822.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000007.00000002.2229044839.0000000003026000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:8
                          Start time:02:47:06
                          Start date:25/09/2024
                          Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                          Imagebase:0x7ff6ef0c0000
                          File size:496'640 bytes
                          MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                          Has elevated privileges:true
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:9
                          Start time:02:47:07
                          Start date:25/09/2024
                          Path:C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe
                          Imagebase:0x3a0000
                          File size:710'144 bytes
                          MD5 hash:0D691A633BEEE6186B92C949B1D517EC
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Antivirus matches:
                          • Detection: 100%, Joe Sandbox ML
                          • Detection: 55%, ReversingLabs
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:10
                          Start time:02:47:09
                          Start date:25/09/2024
                          Path:C:\Windows\SysWOW64\schtasks.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pnizSfmxsGVsXD" /XML "C:\Users\user\AppData\Local\Temp\tmpC43.tmp"
                          Imagebase:0x5f0000
                          File size:187'904 bytes
                          MD5 hash:48C2FE20575769DE916F48EF0676A965
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:11
                          Start time:02:47:10
                          Start date:25/09/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:12
                          Start time:02:47:10
                          Start date:25/09/2024
                          Path:C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\AppData\Roaming\pnizSfmxsGVsXD.exe"
                          Imagebase:0x6b0000
                          File size:710'144 bytes
                          MD5 hash:0D691A633BEEE6186B92C949B1D517EC
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000C.00000002.2254770469.0000000002C66000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.2254770469.0000000002D95000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          Disassembly

                          Reset < >

                            Execution Graph

                            Execution Coverage:11.4%
                            Dynamic/Decrypted Code Coverage:100%
                            Signature Coverage:0%
                            Total number of Nodes:38
                            Total number of Limit Nodes:1
                            execution_graph 25714 a1acb0 25715 a1acbf 25714->25715 25718 a1ad97 25714->25718 25723 a1ada8 25714->25723 25719 a1addc 25718->25719 25720 a1adb9 25718->25720 25719->25715 25720->25719 25721 a1afe0 GetModuleHandleW 25720->25721 25722 a1b00d 25721->25722 25722->25715 25724 a1addc 25723->25724 25725 a1adb9 25723->25725 25724->25715 25725->25724 25726 a1afe0 GetModuleHandleW 25725->25726 25727 a1b00d 25726->25727 25727->25715 25728 a1d040 25729 a1d086 25728->25729 25733 a1d619 25729->25733 25736 a1d628 25729->25736 25730 a1d173 25734 a1d656 25733->25734 25739 a1d27c 25733->25739 25734->25730 25737 a1d27c DuplicateHandle 25736->25737 25738 a1d656 25737->25738 25738->25730 25740 a1d690 DuplicateHandle 25739->25740 25741 a1d726 25740->25741 25741->25734 25693 a14668 25694 a1467a 25693->25694 25695 a14686 25694->25695 25697 a14778 25694->25697 25698 a1479d 25697->25698 25702 a14888 25698->25702 25706 a14878 25698->25706 25703 a148af 25702->25703 25705 a1498c 25703->25705 25710 a144b0 25703->25710 25708 a148af 25706->25708 25707 a1498c 25707->25707 25708->25707 25709 a144b0 CreateActCtxA 25708->25709 25709->25707 25711 a15918 CreateActCtxA 25710->25711 25713 a159db 25711->25713

                            Executed Functions

                            Function 04C87170 Relevance: .2, Instructions: 204COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c0e7d4bfbf7f200f888d3ae86007380a228b9ed5346430592d8cb57a661120c0
                            • Instruction ID: fe77dd73e976c8da3fee0a7f204eaad4ab4f6f441c9c8dd6be44cf3af5f302c1
                            • Opcode Fuzzy Hash: c0e7d4bfbf7f200f888d3ae86007380a228b9ed5346430592d8cb57a661120c0
                            • Instruction Fuzzy Hash: 19811874D06218DFDF14DFAAD884AEDBBB6BF49308F249029E419B7251EB346945DF00
                            Function 04C87180 Relevance: .2, Instructions: 201COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a6fb0575815bb6394917b0890600e3d9c78b54512ad9b61801dcf224e9c99dc0
                            • Instruction ID: b6c96fe837b4928a6ea97f25b166bd90fee7f7c870dfb4652844a01fb5fb718a
                            • Opcode Fuzzy Hash: a6fb0575815bb6394917b0890600e3d9c78b54512ad9b61801dcf224e9c99dc0
                            • Instruction Fuzzy Hash: C3811874E06218DFDF14DFAAD884AEDBBB6BF49308F249029E419B7251EB346945DF00
                            Function 04C837AC Relevance: .2, Instructions: 190COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 90729afb390e4d4bfe267ae244b1c756997d08c63bc57c4cd3baa0f79620b158
                            • Instruction ID: 85b82cce5a5965a0ab6a71b1a011e346e269603bcb598e951d0f62222b7e7148
                            • Opcode Fuzzy Hash: 90729afb390e4d4bfe267ae244b1c756997d08c63bc57c4cd3baa0f79620b158
                            • Instruction Fuzzy Hash: 92712270D01218EFCB15DFA9C548AEDBBF2FF49305F20946AE805AB291D7759A45CF10
                            Function 04C8F9E0 Relevance: 2.9, Strings: 2, Instructions: 365COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 316 4c8f9e0-4c8f9f7 317 4c8f9f9-4c8f9fe 316->317 318 4c8fa00-4c8fa06 316->318 319 4c8fa09-4c8fa0d 317->319 318->319 320 4c8fa0f-4c8fa14 319->320 321 4c8fa16-4c8fa1c 319->321 322 4c8fa1f-4c8fa23 320->322 321->322 323 4c8fa25-4c8fa42 322->323 324 4c8fa47-4c8fa4b 322->324 334 4c8fc67-4c8fc70 323->334 325 4c8fa4d-4c8fa6a 324->325 326 4c8fa6f-4c8fa7a 324->326 325->334 328 4c8fa7c-4c8fa7f 326->328 329 4c8fa82-4c8fa88 326->329 328->329 330 4c8fa8e-4c8fa9e 329->330 331 4c8fc73-4c8ff16 329->331 338 4c8faa0-4c8fabe 330->338 339 4c8fac3-4c8fae8 330->339 344 4c8fc27-4c8fc2a 338->344 347 4c8faee-4c8faf7 339->347 348 4c8fc30-4c8fc35 339->348 344->347 344->348 347->331 349 4c8fafd-4c8fb15 347->349 348->331 350 4c8fc37-4c8fc3a 348->350 357 4c8fb27-4c8fb3e 349->357 358 4c8fb17-4c8fb1c 349->358 351 4c8fc3c 350->351 352 4c8fc3e-4c8fc41 350->352 351->334 352->331 355 4c8fc43-4c8fc65 352->355 355->334 366 4c8fb40 357->366 367 4c8fb46-4c8fb50 357->367 358->331 361 4c8fb22-4c8fb25 358->361 361->357 362 4c8fb55-4c8fb5a 361->362 362->331 368 4c8fb60-4c8fb6f 362->368 366->367 367->348 373 4c8fb71 368->373 374 4c8fb77-4c8fb87 368->374 373->374 374->331 378 4c8fb8d-4c8fb90 374->378 378->331 379 4c8fb96-4c8fb99 378->379 381 4c8fbea-4c8fbfc 379->381 382 4c8fb9b-4c8fb9f 379->382 381->344 389 4c8fbfe-4c8fc13 381->389 382->331 384 4c8fba5-4c8fbab 382->384 386 4c8fbbc-4c8fbc2 384->386 387 4c8fbad-4c8fbb3 384->387 386->331 391 4c8fbc8-4c8fbd4 386->391 387->331 390 4c8fbb9 387->390 395 4c8fc1b-4c8fc25 389->395 396 4c8fc15 389->396 390->386 397 4c8fbdc-4c8fbe8 391->397 395->348 396->395 397->381
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID: 4']q$P`]
                            • API String ID: 0-625569495
                            • Opcode ID: a87c3f13946257917ef1df2443db9da46498ff263ac52081af05bea5891d8138
                            • Instruction ID: fd8d31271419cb5ba9df3ac7a1bfe4ba2702f689df4cda80871e29bac1794fe6
                            • Opcode Fuzzy Hash: a87c3f13946257917ef1df2443db9da46498ff263ac52081af05bea5891d8138
                            • Instruction Fuzzy Hash: 59E18270A00309DFCB09EFA9D584AAE7BB7FF88314F108459D805A7369DB38AE45CB55
                            Function 04C8E0D4 Relevance: 2.6, Strings: 2, Instructions: 143COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 424 4c8e0d4-4c8e0da 425 4c8e0dc 424->425 426 4c8e0df 424->426 425->426 427 4c8e14e 426->427 428 4c8e0e1-4c8e267 426->428 430 4c8e154-4c8e362 427->430 436 4c8e1ea-4c8e20d 428->436 437 4c8e1e5 428->437 441 4c8e050-4c8e056 430->441 451 4c8e368 430->451 436->441 442 4c8e213-4c8e219 436->442 437->436 444 4c8e058 441->444 445 4c8e05f-4c8e060 441->445 442->441 444->445 446 4c8e296-4c8e2f1 444->446 447 4c8e0e7-4c8e0f0 444->447 445->447 455 4c8e608-4c8e66e 446->455 449 4c8e0f2 447->449 450 4c8e0f7 447->450 449->450 453 4c8e100-4c8e10c 450->453 451->455 454 4c8e69e-4c8e6a7 453->454 457 4c8e6a9 454->457 458 4c8e6ae-4c8e779 454->458 471 4c8e722-4c8e727 455->471 457->458 466 4c8e77b 458->466 467 4c8e780-4c8e78f 458->467 466->467 472 4c8e732-4c8e76a 471->472 476 4c8e76b 472->476 476->476
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID: Mb{^${z:
                            • API String ID: 0-2479056712
                            • Opcode ID: 5d540971d8632d9469f9cde087cf28f75302996de6a4bab56a7f50349fef1f53
                            • Instruction ID: 128c0e00fd90c91c442ad027f637d35989dc413f2b7bf4cf6b3bfebbae1749d6
                            • Opcode Fuzzy Hash: 5d540971d8632d9469f9cde087cf28f75302996de6a4bab56a7f50349fef1f53
                            • Instruction Fuzzy Hash: 3251CE74A02215CFCB48EF69E844AAD7BBAFB45304F00C5A8D50AEB315EB74AD85CF50
                            Function 00A1ADA8 Relevance: 1.7, APIs: 1, Instructions: 199COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 477 a1ada8-a1adb7 478 a1ade3-a1ade7 477->478 479 a1adb9-a1adc6 call a1a0cc 477->479 480 a1ade9-a1adf3 478->480 481 a1adfb-a1ae3c 478->481 486 a1adc8 479->486 487 a1addc 479->487 480->481 488 a1ae49-a1ae57 481->488 489 a1ae3e-a1ae46 481->489 532 a1adce call a1b030 486->532 533 a1adce call a1b040 486->533 487->478 491 a1ae59-a1ae5e 488->491 492 a1ae7b-a1ae7d 488->492 489->488 490 a1add4-a1add6 490->487 493 a1af18-a1afd8 490->493 495 a1ae60-a1ae67 call a1a0d8 491->495 496 a1ae69 491->496 494 a1ae80-a1ae87 492->494 527 a1afe0-a1b00b GetModuleHandleW 493->527 528 a1afda-a1afdd 493->528 498 a1ae94-a1ae9b 494->498 499 a1ae89-a1ae91 494->499 497 a1ae6b-a1ae79 495->497 496->497 497->494 501 a1aea8-a1aeaa call a1a0e8 498->501 502 a1ae9d-a1aea5 498->502 499->498 506 a1aeaf-a1aeb1 501->506 502->501 508 a1aeb3-a1aebb 506->508 509 a1aebe-a1aec3 506->509 508->509 510 a1aee1-a1aeee 509->510 511 a1aec5-a1aecc 509->511 517 a1af11-a1af17 510->517 518 a1aef0-a1af0e 510->518 511->510 513 a1aece-a1aede call a1a0f8 call a1a108 511->513 513->510 518->517 529 a1b014-a1b028 527->529 530 a1b00d-a1b013 527->530 528->527 530->529 532->490 533->490
                            APIs
                            • GetModuleHandleW.KERNELBASE(00000000), ref: 00A1AFFE
                            Memory Dump Source
                            • Source File: 00000000.00000002.2116353658.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_a10000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID: HandleModule
                            • String ID:
                            • API String ID: 4139908857-0
                            • Opcode ID: 2bd56fa1d3c7c2ad35bc3d8285df07e634479d976eba0734418039953cced61a
                            • Instruction ID: 89ade8b657f813fda9bb8808888f3ff1015bd07aefbafd5a6efba3f1d0fbde86
                            • Opcode Fuzzy Hash: 2bd56fa1d3c7c2ad35bc3d8285df07e634479d976eba0734418039953cced61a
                            • Instruction Fuzzy Hash: A3816770A01B058FD724DF29D54079ABBF5FF98300F008A2DD48AD7A50DB75E989CB92
                            Function 00A144B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 534 a144b0-a159d9 CreateActCtxA 537 a159e2-a15a3c 534->537 538 a159db-a159e1 534->538 545 a15a4b-a15a4f 537->545 546 a15a3e-a15a41 537->546 538->537 547 a15a51-a15a5d 545->547 548 a15a60 545->548 546->545 547->548 550 a15a61 548->550 550->550
                            APIs
                            • CreateActCtxA.KERNEL32(?), ref: 00A159C9
                            Memory Dump Source
                            • Source File: 00000000.00000002.2116353658.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_a10000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID: Create
                            • String ID:
                            • API String ID: 2289755597-0
                            • Opcode ID: 6e2d9f82d55ff3e6c6dbc82cc94c8baf25d61ab8d1c4fb96210c11c0fb244a3b
                            • Instruction ID: 61699cbeb57a627112b2d0fd76c784dcc76aff2cce0ed8a88605369bf71c7ab0
                            • Opcode Fuzzy Hash: 6e2d9f82d55ff3e6c6dbc82cc94c8baf25d61ab8d1c4fb96210c11c0fb244a3b
                            • Instruction Fuzzy Hash: 4441E2B0C00619CADB24DFA9C884BDEBBB5FF48304F20815AD418AB255DB755989CF91
                            Function 00A1590C Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 551 a1590c-a15913 552 a1591c-a159d9 CreateActCtxA 551->552 554 a159e2-a15a3c 552->554 555 a159db-a159e1 552->555 562 a15a4b-a15a4f 554->562 563 a15a3e-a15a41 554->563 555->554 564 a15a51-a15a5d 562->564 565 a15a60 562->565 563->562 564->565 567 a15a61 565->567 567->567
                            APIs
                            • CreateActCtxA.KERNEL32(?), ref: 00A159C9
                            Memory Dump Source
                            • Source File: 00000000.00000002.2116353658.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_a10000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID: Create
                            • String ID:
                            • API String ID: 2289755597-0
                            • Opcode ID: 43220027f277c4bb22b271ffde76498e14dff94c96eaf0be5a02d575bbdd8222
                            • Instruction ID: 28976cc9439b04588de63070a600a69cc4d600339948c3d29340f07feaa16047
                            • Opcode Fuzzy Hash: 43220027f277c4bb22b271ffde76498e14dff94c96eaf0be5a02d575bbdd8222
                            • Instruction Fuzzy Hash: 4E41F2B0C00719CEDB24DFAAC8887DDBBB6FF48314F20815AD418AB255DB75598ACF91
                            Function 00A1D751 Relevance: 1.6, APIs: 1, Instructions: 86COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 568 a1d751-a1d758 569 a1d714-a1d724 DuplicateHandle 568->569 570 a1d75a-a1d87e 568->570 572 a1d726-a1d72c 569->572 573 a1d72d-a1d74a 569->573 572->573
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00A1D656,?,?,?,?,?), ref: 00A1D717
                            Memory Dump Source
                            • Source File: 00000000.00000002.2116353658.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_a10000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: baa3146801c59c32433f8227e18387ffaca986acd2ec26dff4cdc1ec179de4cd
                            • Instruction ID: 851231fc4296d577f4432d1fb1f58cd084506bf3ab7b52ce44de40de976e4b46
                            • Opcode Fuzzy Hash: baa3146801c59c32433f8227e18387ffaca986acd2ec26dff4cdc1ec179de4cd
                            • Instruction Fuzzy Hash: 6F313274AC03808FE7089F64F4987697BB6E798310F118969E9158B3D9CEB848EDDF10
                            Function 00A1D27C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 586 a1d27c-a1d724 DuplicateHandle 588 a1d726-a1d72c 586->588 589 a1d72d-a1d74a 586->589 588->589
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00A1D656,?,?,?,?,?), ref: 00A1D717
                            Memory Dump Source
                            • Source File: 00000000.00000002.2116353658.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_a10000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: 294fbe3f9fa02c889dd3f4f48fa3fd5873a5eaf7623b3c332017e1fc44eb6480
                            • Instruction ID: 06da566b03ac7aa32cefd77f33cb125af8d4ceec9aaea9be651696a99ab40133
                            • Opcode Fuzzy Hash: 294fbe3f9fa02c889dd3f4f48fa3fd5873a5eaf7623b3c332017e1fc44eb6480
                            • Instruction Fuzzy Hash: 1721E4B59002489FDB10CF9AD584AEEFFF9FB48310F14801AE918A7350D378A950CFA4
                            Function 00A1D688 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 592 a1d688-a1d724 DuplicateHandle 593 a1d726-a1d72c 592->593 594 a1d72d-a1d74a 592->594 593->594
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00A1D656,?,?,?,?,?), ref: 00A1D717
                            Memory Dump Source
                            • Source File: 00000000.00000002.2116353658.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_a10000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: 741ff6ea8452e38dbc66ea769c18df060818edecbd4d31b10693f1df070565a2
                            • Instruction ID: 334959eca559a6cebf22802512aba2f5a49ffe20c72de6a8b85ad2fa48417e59
                            • Opcode Fuzzy Hash: 741ff6ea8452e38dbc66ea769c18df060818edecbd4d31b10693f1df070565a2
                            • Instruction Fuzzy Hash: BD21E6B59002489FDB10CFAAD584AEEBFF5FB48320F14801AE958A3350D378A945CFA4
                            Function 00A1AF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 597 a1af98-a1afd8 598 a1afe0-a1b00b GetModuleHandleW 597->598 599 a1afda-a1afdd 597->599 600 a1b014-a1b028 598->600 601 a1b00d-a1b013 598->601 599->598 601->600
                            APIs
                            • GetModuleHandleW.KERNELBASE(00000000), ref: 00A1AFFE
                            Memory Dump Source
                            • Source File: 00000000.00000002.2116353658.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_a10000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID: HandleModule
                            • String ID:
                            • API String ID: 4139908857-0
                            • Opcode ID: 230d871d81ae578e4d788ad56b5ccdae49cda05e33e9e7ef52e1812b070cb685
                            • Instruction ID: 419bd32b496866d07c1b80e32295ababfb0fe7fd06b3632884c6aa6bf7ee9153
                            • Opcode Fuzzy Hash: 230d871d81ae578e4d788ad56b5ccdae49cda05e33e9e7ef52e1812b070cb685
                            • Instruction Fuzzy Hash: 3111E0B6C002498FCB10DF9AC444BDEFBF5EF88324F10841AD529A7210D379A545CFA5
                            Function 04C8C797 Relevance: 1.4, Strings: 1, Instructions: 179COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 603 4c8c797-4c8c79b 604 4c8c79c-4c8c7a0 603->604 605 4c8c726-4c8c72c 603->605 607 4c8c7a2-4c8c7a3 604->607 608 4c8c776-4c8c77b 604->608 606 4c8c7c4-4c8c7d6 605->606 616 4c8c852-4c8c869 606->616 611 4c8c731-4c8c737 607->611 612 4c8c7a5-4c8c7ab 607->612 609 4c8c77c-4c8c781 608->609 610 4c8c782-4c8c796 call 4c8b760 608->610 609->610 610->603 614 4c8c739 611->614 615 4c8c740-4c8c741 611->615 612->606 612->611 614->615 619 4c8c941-4c8c945 614->619 620 4c8c961-4c8c966 614->620 621 4c8c746-4c8c74f 614->621 615->619 666 4c8c86b call 4c8ca90 616->666 667 4c8c86b call 4c8caa0 616->667 625 4c8c94a-4c8c94e 619->625 626 4c8c8bc-4c8c8c0 619->626 627 4c8c975-4c8c97b 620->627 622 4c8c755-4c8c907 621->622 623 4c8c877-4c8c884 621->623 639 4c8c909 622->639 640 4c8c90e-4c8c919 622->640 636 4c8c80f 623->636 637 4c8c814-4c8c92a 623->637 625->620 631 4c8c950-4c8c951 625->631 632 4c8c76f-4c8c775 626->632 633 4c8c8c6-4c8c8c7 626->633 635 4c8c8e0-4c8c8e1 627->635 630 4c8c871-4c8c872 630->627 632->608 633->616 641 4c8c972-4c8c973 633->641 635->625 636->637 651 4c8c92c 637->651 652 4c8c931-4c8c93c 637->652 639->640 654 4c8c832 640->654 655 4c8c837-4c8c98c 640->655 641->627 644 4c8c9ad-4c8c9b1 641->644 646 4c8c899-4c8c8a5 644->646 647 4c8c9b7-4c8c9b8 644->647 649 4c8c8ac-4c8c970 646->649 650 4c8c8a7 646->650 647->635 649->644 650->649 651->652 652->611 654->655 663 4c8c98e 655->663 664 4c8c993-4c8c99e 655->664 663->664 666->630 667->630
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID: r
                            • API String ID: 0-1812594589
                            • Opcode ID: f23a0808e2c3d0e73e0871ba1f855b241ddbfec78545f9d9588d9b27e8745fdb
                            • Instruction ID: 17c78aff1df48c8eab0ad47d0ef033d981c02f5b9851318be0d5738340cfdc77
                            • Opcode Fuzzy Hash: f23a0808e2c3d0e73e0871ba1f855b241ddbfec78545f9d9588d9b27e8745fdb
                            • Instruction Fuzzy Hash: 2C611A74A44109CBDB04EF69C1848ADFBB7FB4A305B24D599D41AA7212D731F982CF60
                            Function 04C834B4 Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 721 4c834b4-4c849e6 call 4c83654 728 4c849e8-4c849f8 call 4c83660 721->728 729 4c84a2f-4c84a37 721->729 733 4c849fa-4c84a1b call 4c8366c 728->733 734 4c84a3e-4c84a53 728->734 729->734 738 4c84a23-4c84a25 733->738 740 4c84a5a-4c84aaa 734->740 738->740 741 4c84a27-4c84a2e 738->741 745 4c84ab0-4c84ac1 740->745 746 4c84b31-4c84b43 740->746 749 4c84ac3-4c84ace 745->749 750 4c84ad0-4c84aee 749->750 751 4c84af1-4c84b07 749->751 750->751 751->749 754 4c84b09-4c84b30 751->754
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID: Te]q
                            • API String ID: 0-52440209
                            • Opcode ID: a57909d64e9d1e6c0ee168d26da0aea3c3e8d6454f2338584c6d22fe965ceb45
                            • Instruction ID: ed52b34b7d3a49a1567e83200626983bfe38c40866efb3e68e8cca092b7cdfd0
                            • Opcode Fuzzy Hash: a57909d64e9d1e6c0ee168d26da0aea3c3e8d6454f2338584c6d22fe965ceb45
                            • Instruction Fuzzy Hash: 0D519A30B002468FCB15EF7998948AEBBB7EFC5324B158969E419CB355EB309E068791
                            Function 04C8AE42 Relevance: 1.4, Strings: 1, Instructions: 122COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 759 4c8ae42-4c8ae5a 762 4c8ae5c-4c8ae5d 759->762 763 4c8ae8d-4c8aea6 759->763 762->763 765 4c8af1e-4c8af35 763->765 767 4c8ae79-4c8ae7f 765->767 800 4c8ae81 call 4c8b5d8 767->800 801 4c8ae81 call 4c8b5e8 767->801 768 4c8ae87-4c8afd5 770 4c8af40-4c8af46 768->770 772 4c8aee7-4c8aeeb 770->772 773 4c8ae5f-4c8ae74 772->773 774 4c8aef1-4c8afb8 772->774 773->767 778 4c8aef7-4c8af1c 773->778 785 4c8afba call 4c8bc89 774->785 786 4c8afba call 4c8c10c 774->786 787 4c8afba call 4c8bf2d 774->787 788 4c8afba call 4c8bd2e 774->788 789 4c8afba call 4c8c120 774->789 790 4c8afba call 4c8bd81 774->790 791 4c8afba call 4c8bc98 774->791 792 4c8afba call 4c8c4f8 774->792 793 4c8afba call 4c8c299 774->793 794 4c8afba call 4c8c3b9 774->794 795 4c8afba call 4c8c09d 774->795 796 4c8afba call 4c8c3fd 774->796 797 4c8afba call 4c8c57e 774->797 798 4c8afba call 4c8bd50 774->798 799 4c8afba call 4c8bd56 774->799 778->765 781 4c8af3a-4c8af3e 778->781 781->770 781->772 784 4c8afc0-4c8afca 785->784 786->784 787->784 788->784 789->784 790->784 791->784 792->784 793->784 794->784 795->784 796->784 797->784 798->784 799->784 800->768 801->768
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID: Te]q
                            • API String ID: 0-52440209
                            • Opcode ID: 08cf3d818e8dd4e0cf9b5620e516f51990b9c1ac56246ef85cea595177d860c0
                            • Instruction ID: 2b0b704dce92df2a8cc5f4db95385fa1550359cb8d32c7375c9af982f24171be
                            • Opcode Fuzzy Hash: 08cf3d818e8dd4e0cf9b5620e516f51990b9c1ac56246ef85cea595177d860c0
                            • Instruction Fuzzy Hash: 5441F474E04209CFCF04DFA9C8809EDBBB6FF49304F14946AE41AAB366D732A941CB50
                            Function 04C8AEA8 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID: Te]q
                            • API String ID: 0-52440209
                            • Opcode ID: 50c3b12784a5cff71ff0951f6f48c03cb723c54f7325d001c42decf8206f1743
                            • Instruction ID: 295a244c83304584c7358f41a6cf8ad69a3198d1ba7f18a5c910b7abfd090cee
                            • Opcode Fuzzy Hash: 50c3b12784a5cff71ff0951f6f48c03cb723c54f7325d001c42decf8206f1743
                            • Instruction Fuzzy Hash: CE41D074E04218CFCF04EFA9D884AADBBB6FF49304F14942AE919AB355D731A852DF00
                            Function 04C86FB8 Relevance: 1.3, Strings: 1, Instructions: 88COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID: 8aq
                            • API String ID: 0-538729646
                            • Opcode ID: 51425e57d660737a12cebb9278af4fd08d8c878ced1aef017ed58c46762f3acc
                            • Instruction ID: ad1b5067105640bcbeab1106d87fabd4ef124ee84c2a9be94fcfc7bf81b0acaf
                            • Opcode Fuzzy Hash: 51425e57d660737a12cebb9278af4fd08d8c878ced1aef017ed58c46762f3acc
                            • Instruction Fuzzy Hash: 27313774E06208DBCB04EFAAD9406EEBBB6EF88318F209429E515B7340E7346941DF91
                            Function 04C86FA9 Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID: 8aq
                            • API String ID: 0-538729646
                            • Opcode ID: 3ac55d1b6cf64233f0125f4d842c3b3dc85d86c34d0d9c60610ba9e3a0b3a238
                            • Instruction ID: 783bdd95b2fe3c8d29761025d0ec249057bf5a2fa2f135b3b176d7eb5c489c6b
                            • Opcode Fuzzy Hash: 3ac55d1b6cf64233f0125f4d842c3b3dc85d86c34d0d9c60610ba9e3a0b3a238
                            • Instruction Fuzzy Hash: CB313874E06208DFCF04EFA9D8406EEBBB2BF89314F24942AE415A7250E7346A41CF91
                            Function 04C8E5F8 Relevance: 1.3, Strings: 1, Instructions: 68COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID: {z:
                            • API String ID: 0-2296403665
                            • Opcode ID: 6098d9c162ce68685c699b592001e97938b02a1fffade1b1fc0a0a705a64cd46
                            • Instruction ID: ff8cd182b0a6646c933cb24997f644dece0a23ea0f00c78a8707f30dfedb761f
                            • Opcode Fuzzy Hash: 6098d9c162ce68685c699b592001e97938b02a1fffade1b1fc0a0a705a64cd46
                            • Instruction Fuzzy Hash: 62217A74E40258CFCB94EFA5E4446ADBBBAFB89300F208559D50AEB345EB749D46CF00
                            Function 04C848C8 Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID: Te]q
                            • API String ID: 0-52440209
                            • Opcode ID: 023c402cecb96762a68e1c8cdfb522578b285c76c6307d4d87526b9c6222b086
                            • Instruction ID: 2b8e9333fc1ca96f20a76ecb37dae44baad312e0a736622d4712ee14edb38738
                            • Opcode Fuzzy Hash: 023c402cecb96762a68e1c8cdfb522578b285c76c6307d4d87526b9c6222b086
                            • Instruction Fuzzy Hash: 54114C31B0020A8BCB18EFB999115EEB7F6ABC9714B104069C509E7254FB359E02CB95
                            Function 04C82910 Relevance: .5, Instructions: 482COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ee62448c120a7d1fa9437cd121aa104b75fba2e8c0d172b59e2c00d56a16cdea
                            • Instruction ID: 94459321095df068bd4d88411f04cf0d61f84d8ed30d324768e433c79a6882f0
                            • Opcode Fuzzy Hash: ee62448c120a7d1fa9437cd121aa104b75fba2e8c0d172b59e2c00d56a16cdea
                            • Instruction Fuzzy Hash: 6022A3B0D05F82CAD7716FA4848439EBE91AB41704F205D5FC4FECE262C736E5868B99
                            Function 04C82951 Relevance: .4, Instructions: 450COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3d5c107de874dc88b4475775a5d56d668394b8f87c70dd7ed41d7710b6c3d2fe
                            • Instruction ID: 437ed5abdc028b8cdb58333e9e5d0aa8e883f077ec179eeac05bd1ba1dfb6abc
                            • Opcode Fuzzy Hash: 3d5c107de874dc88b4475775a5d56d668394b8f87c70dd7ed41d7710b6c3d2fe
                            • Instruction Fuzzy Hash: B91292B0D05F82CAD7716FA4848839EBE91AB41704F205D1FC4FECD266C736E5868B99
                            Function 04C837D8 Relevance: .2, Instructions: 178COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ddc02c6aa0c56966e9afbab2f794fade9bf1d9eb2d55590bde1f18fa14eca07a
                            • Instruction ID: 1b8dc66bba76c491b1a5bb73ae9c96a191cb6359ee5b8a273249ebe3587bd57f
                            • Opcode Fuzzy Hash: ddc02c6aa0c56966e9afbab2f794fade9bf1d9eb2d55590bde1f18fa14eca07a
                            • Instruction Fuzzy Hash: 4151BE70A042489FCB10EFA9C9546AFBBF6FF89314F14846ED905E7341DA34AE05CBA1
                            Function 04C867E3 Relevance: .2, Instructions: 171COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4568481a956e4b664069241bd4d3414492c80f6e2cd80f51b2717f930f0e5ad8
                            • Instruction ID: 3e83f0480c0dcb6400fcf38e2815db5f0f287ad8be018052966dc99b58f7d812
                            • Opcode Fuzzy Hash: 4568481a956e4b664069241bd4d3414492c80f6e2cd80f51b2717f930f0e5ad8
                            • Instruction Fuzzy Hash: 25611934E02219CFCB00EFB8E544AAEBBB2FF09304F159569D805AB354DB35AA65CB51
                            Function 04C81C98 Relevance: .2, Instructions: 168COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 765a18b46bb9b922549546e4772d7d4dbf8c39419825b60a6921b2132fca5b60
                            • Instruction ID: d71789882740f434080bf81ebeb9dde4a0383a387e95ae5f5e036c9adf34f7d1
                            • Opcode Fuzzy Hash: 765a18b46bb9b922549546e4772d7d4dbf8c39419825b60a6921b2132fca5b60
                            • Instruction Fuzzy Hash: 3A719E34A01208AFCB15DF69D884DAEBBB6FF48724B154499F901AB361DB31ED81CF50
                            Function 04C802F8 Relevance: .2, Instructions: 167COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c8db09c0e5084c8249d7376eb7dd8d9aa4a81115ec802f696d4c35b53ecd2e19
                            • Instruction ID: d5d4ee92c4289cd6e52b0d8ac6b7c0193f98a12817d93c078cb79cb6f791ce41
                            • Opcode Fuzzy Hash: c8db09c0e5084c8249d7376eb7dd8d9aa4a81115ec802f696d4c35b53ecd2e19
                            • Instruction Fuzzy Hash: 6F519A307002008FC714EB6AD580BAEB7AAEF89304F15416DE40ADB3A1DB70ED45CB51
                            Function 04C802E8 Relevance: .1, Instructions: 130COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8d71baa25cfac2a76310893e80b7b6ecff15993ec341e318fe5da59b047f0ebb
                            • Instruction ID: 4065dc477f67725257037262e3601884d034bfb4050fa119901193985d564a6e
                            • Opcode Fuzzy Hash: 8d71baa25cfac2a76310893e80b7b6ecff15993ec341e318fe5da59b047f0ebb
                            • Instruction Fuzzy Hash: DB418A307002008FCB15EF6AC684BAEBBB6AF89308F15416DE409DB362DB71ED49CB51
                            Function 04C86A10 Relevance: .1, Instructions: 130COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f60d4f68070d311c16d0b948b7835611b735b6ad991c7e1734d93f04bac572c4
                            • Instruction ID: a0d4df387f7f93eca4bc1737dbd27f85b115c12f8216f8e0c82a0e0d1babf6c8
                            • Opcode Fuzzy Hash: f60d4f68070d311c16d0b948b7835611b735b6ad991c7e1734d93f04bac572c4
                            • Instruction Fuzzy Hash: 5051F0B4E45218CFCF44DFA9D8446EEBBB2FB89305F10A42AE516B3240D7706A91CF54
                            Function 04C86A20 Relevance: .1, Instructions: 129COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4671858006bc6ca644034b6befbb97dcbfdea5e1d4d28ff317b4bfb2ebd3b5d6
                            • Instruction ID: 7bc8eb3c0408a95ddcee0d79904d9629bdcddbe2209a6e78016d42d8984bdba1
                            • Opcode Fuzzy Hash: 4671858006bc6ca644034b6befbb97dcbfdea5e1d4d28ff317b4bfb2ebd3b5d6
                            • Instruction Fuzzy Hash: 0F51F0B4E45218CFCB04DFA9D8446EEBBB2FB89305F14A42AD506B3240E7706A91CF54
                            Function 04C81C89 Relevance: .1, Instructions: 126COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2890fd81b8d08bd1d475df0daa4cdf6c3df6911b18f7ea22aad38b60b2fc0dbe
                            • Instruction ID: 359b213e8103c6e56b4e324e6807232b89bf11de2938b95b763a750ae3a8f6b7
                            • Opcode Fuzzy Hash: 2890fd81b8d08bd1d475df0daa4cdf6c3df6911b18f7ea22aad38b60b2fc0dbe
                            • Instruction Fuzzy Hash: 5F51B138A01208AFCB15DF68D494DAEBBB2FF49724B154499F9029B361DB31ED82CF50
                            Function 04C8B5E8 Relevance: .1, Instructions: 123COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7c63b506c16c869351822e99c2729b53457b40eac129fd3d5d739c423edc50e8
                            • Instruction ID: cad049eb99042538afd855cecf9e009d4ac83eb656d119a79b9cab6802ffe13b
                            • Opcode Fuzzy Hash: 7c63b506c16c869351822e99c2729b53457b40eac129fd3d5d739c423edc50e8
                            • Instruction Fuzzy Hash: 2A411674E09209CFDB08EF9AC4446AEBBF7AF89305F18E029E419A7251E7346D41DF50
                            Function 04C8D930 Relevance: .1, Instructions: 120COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 59d04e08564d4f34c998c7608c9bf994eaaa03a2e6756e374ceca614a8481698
                            • Instruction ID: 39983a675ff86f142ff73d6b7fdf5357ce86eb74a562c655f1cf4db5a6f3c89b
                            • Opcode Fuzzy Hash: 59d04e08564d4f34c998c7608c9bf994eaaa03a2e6756e374ceca614a8481698
                            • Instruction Fuzzy Hash: D6411C71E09118DFDB04EFAAD4406EDBBF6BF89304F14D469E416A7281EB34AA81DF50
                            Function 04C80D38 Relevance: .1, Instructions: 118COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ca702ef649dd086e9867c1960469abd9707a3db79ca0c8a66486f8e281521806
                            • Instruction ID: a161c8ef1c50f022fab5bc47e20014daf0a98f4ea5b45985479776e4190f795a
                            • Opcode Fuzzy Hash: ca702ef649dd086e9867c1960469abd9707a3db79ca0c8a66486f8e281521806
                            • Instruction Fuzzy Hash: B1410C34A002288FCB54EF69C994BDDB7F2FF48714F114069E905AB3A1D739A945CF90
                            Function 04C8B5D8 Relevance: .1, Instructions: 109COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3786983df2640fd5221bdce01cc2ed318d18ea149dd0d76f88198d8cd3bb42e3
                            • Instruction ID: 536eae3e78433a3d6a0d84dbf2cf3a754a0d481cb7ad074c7bad12b936a9f171
                            • Opcode Fuzzy Hash: 3786983df2640fd5221bdce01cc2ed318d18ea149dd0d76f88198d8cd3bb42e3
                            • Instruction Fuzzy Hash: 5C410874E09208CFDB08DF96D5446AEBAF7AF89305F18D029E419A7261E7706D40DE50
                            Function 04C84120 Relevance: .1, Instructions: 109COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ca8e86876bbdc9ee47a64d9a13c6304ba3366895a1cc8ba38951913640f4cba1
                            • Instruction ID: 0e8901a4d1976c7c8931b00447ec7e8ff9f2a872ff5b63e804fda8bfbb95881c
                            • Opcode Fuzzy Hash: ca8e86876bbdc9ee47a64d9a13c6304ba3366895a1cc8ba38951913640f4cba1
                            • Instruction Fuzzy Hash: 50319336700A318BCF197B659C9937D76A7BBD5612B19041DE817C3380EF3C9A818B5A
                            Function 04C84110 Relevance: .1, Instructions: 104COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: dbbb4f730ab08be6e630c20406c07dbbb3a1f39b6f5ee9b60de1b3155efdb6b2
                            • Instruction ID: cebc1851a86e7c492de4292ff283865d5ef756b80bbb5b2dd583263df19b258c
                            • Opcode Fuzzy Hash: dbbb4f730ab08be6e630c20406c07dbbb3a1f39b6f5ee9b60de1b3155efdb6b2
                            • Instruction Fuzzy Hash: 2E31D636704B228F8F197F259C8927D76A7FBD560270D041EE817C3381EF388A418B56
                            Function 04C8D920 Relevance: .1, Instructions: 102COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cbe630a93429c0f6e45505dff878196f4b14b43b80bce287bf154fb7555b1bce
                            • Instruction ID: 86734870f513a8c95f6e9c28b465c87f0e743c8c32ec8f4674950a2f6334c10a
                            • Opcode Fuzzy Hash: cbe630a93429c0f6e45505dff878196f4b14b43b80bce287bf154fb7555b1bce
                            • Instruction Fuzzy Hash: A63160B1E08118DBCF04EFAAD4406EDBBF7AF89304F14D069E416A7291DB30AA41DF90
                            Function 04C863FC Relevance: .1, Instructions: 101COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5e14ce53b6d2d5c25e3a8c2f599fd7307ff5889096e142fe71bf9ffca6964d34
                            • Instruction ID: 7f47e051629f9a89266d4fa0674d294f431afcb019f790c30b8e96b27e004f3f
                            • Opcode Fuzzy Hash: 5e14ce53b6d2d5c25e3a8c2f599fd7307ff5889096e142fe71bf9ffca6964d34
                            • Instruction Fuzzy Hash: 15314AB1A00249AFCB14DFA9D844ADEBFF9EF49314F10842AE519A7210D735A944CFA1
                            Function 04C88440 Relevance: .1, Instructions: 100COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e789085b89888c7be8f6a1f6123206358af2bdda601b060ef596d250c3acad3a
                            • Instruction ID: 1e2a2e51e4cded86e7ad494e6a0354887cf7879727fc3418532a7dc645e90211
                            • Opcode Fuzzy Hash: e789085b89888c7be8f6a1f6123206358af2bdda601b060ef596d250c3acad3a
                            • Instruction Fuzzy Hash: 1C316471E04218CFDB04EFAAC4506EEBBB6BF89305F94842AD405B7651E734AA41CF60
                            Function 04C88430 Relevance: .1, Instructions: 96COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 658514d9dc55ae27d0d8f24265831688e081f3ec765e48d7fd651774b29614d6
                            • Instruction ID: bcaaa2d4080b1d8eb8cdd7a78bb96d14d0d32fb72ee06ea0baab790cf9edc9c8
                            • Opcode Fuzzy Hash: 658514d9dc55ae27d0d8f24265831688e081f3ec765e48d7fd651774b29614d6
                            • Instruction Fuzzy Hash: 1A315571E05218CFDB04EFA9D4506EEBBB2BF89315F94842AE404BB651D734AA41CF60
                            Function 0087D4C4 Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2115394068.000000000087D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0087D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_87d000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e3acf686fb12089be233345a6f4a302b69bc8eb0db49322b3a04637eff4bbe2e
                            • Instruction ID: f07810c2d59032379e3cf4a4729d908f342bf9ca3084f1eb09edf6001b549de7
                            • Opcode Fuzzy Hash: e3acf686fb12089be233345a6f4a302b69bc8eb0db49322b3a04637eff4bbe2e
                            • Instruction Fuzzy Hash: A621FF71504344DFCB05DF14D9C0B26BF75FF98328F24C669E9098A25AC33AD816DAA2
                            Function 04C8BD2E Relevance: .1, Instructions: 73COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6d565ebd3d0118080716914c72a66f6f60ba9dae4f26a8a6c46a3d1eb2426802
                            • Instruction ID: cbc523e6a12a5be15e27acfffb355e787a4889f8883fcdebd9b373de56968ef4
                            • Opcode Fuzzy Hash: 6d565ebd3d0118080716914c72a66f6f60ba9dae4f26a8a6c46a3d1eb2426802
                            • Instruction Fuzzy Hash: 2B213B34A05258CFCF10DF94D584AADBBB6FF49309F10695AD00AB7255E331AD81DF21
                            Function 0088D01C Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2115549111.000000000088D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0088D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_88d000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 993acfe872399e687827a64099c0cfdb47c86e8039d91b7e8f1cbceaaaf87152
                            • Instruction ID: ddc2eb35b4781582d3a5c4d38199c9c1933d1c0f5297d6d77643713434930136
                            • Opcode Fuzzy Hash: 993acfe872399e687827a64099c0cfdb47c86e8039d91b7e8f1cbceaaaf87152
                            • Instruction Fuzzy Hash: 7721F271604704DFDB14EF24D984B26BF65FB88318F20C569D94A8B396C33AD807CB62
                            Function 0088D1D4 Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2115549111.000000000088D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0088D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_88d000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8fce7e64e489dc4f2b1c79b0a38beb21dadee7fa1fe11baede535ca435648273
                            • Instruction ID: d6cbec309365d4f0e79eb2c9064c592eb595e5073f0732e7325ee1313f35d338
                            • Opcode Fuzzy Hash: 8fce7e64e489dc4f2b1c79b0a38beb21dadee7fa1fe11baede535ca435648273
                            • Instruction Fuzzy Hash: 9521F571504304DFDB15EF54D5C0F26BB65FB84314F20C56DD9098B296C33AE806CB61
                            Function 04C8364E Relevance: .1, Instructions: 70COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8518d2a594732ccf8287a7a4960c42eed12f9ce2fe58d740adc0b64a0f2a0a7b
                            • Instruction ID: 821a37b3a9748b5d6adc7dbdec2927fa581171c9dbdfc9a49e96b78fd3934bc0
                            • Opcode Fuzzy Hash: 8518d2a594732ccf8287a7a4960c42eed12f9ce2fe58d740adc0b64a0f2a0a7b
                            • Instruction Fuzzy Hash: 7E3124B0C012589FDB24DF99C948B9EBFF5BB48314F24805EE404AB240D7B46844CF95
                            Function 04C81B30 Relevance: .1, Instructions: 69COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9d2154ba352e1841b9c814b73236eee3839827600c57f4eabe73ae185571c91a
                            • Instruction ID: 4c6f5a5c28ee50f0e05442617b19c867228c1cb807f59d6603d4c0e235d9b2d5
                            • Opcode Fuzzy Hash: 9d2154ba352e1841b9c814b73236eee3839827600c57f4eabe73ae185571c91a
                            • Instruction Fuzzy Hash: 66215BB57006009FCB24DF19C580ABA7BF7AFC9614B08445EE94A87751DB35BD42CB60
                            Function 04C81B40 Relevance: .1, Instructions: 68COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: eb39efdc0316dc8056124421ae85288192e907dac014be5470587da22ee0eb4b
                            • Instruction ID: 224a995518eaeb286d5b2423f3efcfd25cd0f0e27ab4bd78472960e136cfc561
                            • Opcode Fuzzy Hash: eb39efdc0316dc8056124421ae85288192e907dac014be5470587da22ee0eb4b
                            • Instruction Fuzzy Hash: 4D216D767002149FCB24AE15D580A7A73FBFFC4725F18442EE90A87751EB31F9428B50
                            Function 04C83654 Relevance: .1, Instructions: 67COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e54f37c3da3cfd980b1466b5aacda9341de2f6586aa295c6cdc4310c5e73902c
                            • Instruction ID: 8c80861688009d1d0ad40fff363e03e247692f987f6c3cfe398e059cbc11027f
                            • Opcode Fuzzy Hash: e54f37c3da3cfd980b1466b5aacda9341de2f6586aa295c6cdc4310c5e73902c
                            • Instruction Fuzzy Hash: 3D3114B0C00218DFDB24DF99C988B9EBFF5BB48318F248019E504BB240D7B5A844CF94
                            Function 04C84B4C Relevance: .1, Instructions: 67COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3739ed09038f10754607097a430e7bcac892dcde6ae74ad51efd2e7517a8933f
                            • Instruction ID: 2eaa9a6f3031b9a80eee42dd373d498ba0d4665658756c761d859a5bf7ade913
                            • Opcode Fuzzy Hash: 3739ed09038f10754607097a430e7bcac892dcde6ae74ad51efd2e7517a8933f
                            • Instruction Fuzzy Hash: E93102B0C002189FDB24DF99C988B9EBFF5BF48318F248159E408AB240D7B55945CF94
                            Function 04C8E4C2 Relevance: .1, Instructions: 66COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e4c42f487196f773d88e04c07f11fb50bcd931fcff7473bd2d8de2d67d55ee7e
                            • Instruction ID: 506cb8fdd4b4a35ce3a81382a47c1714e6923cc18aec1f411f2ea09d3d47074d
                            • Opcode Fuzzy Hash: e4c42f487196f773d88e04c07f11fb50bcd931fcff7473bd2d8de2d67d55ee7e
                            • Instruction Fuzzy Hash: 623128B4A41254CFCB54EF24E448B9DBBB6FB4A305F409498E409EB255EB70AE84CF11
                            Function 04C8F511 Relevance: .1, Instructions: 66COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8d8572531e2ee6bfe1ad352091684e53ff80d694fba56e2e25e01dcc5e68e100
                            • Instruction ID: 701264da60a8bcf20329e3440aa80457e1f5a24c6fdcb4225744a65882d2a987
                            • Opcode Fuzzy Hash: 8d8572531e2ee6bfe1ad352091684e53ff80d694fba56e2e25e01dcc5e68e100
                            • Instruction Fuzzy Hash: 59110470B002149BCB18AEB9881067F7AA7FF84754F08856CE816CB351EB70EE4097D5
                            Function 04C824E8 Relevance: .1, Instructions: 65COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cc758c60ea1df8fe09dee05471027de3198325543e661d1a349ea677888d9e1f
                            • Instruction ID: 9d80e32ff3b1130e3b481fd5aba2c93f206422353b2d5dc71b9c95e94d3d7e0c
                            • Opcode Fuzzy Hash: cc758c60ea1df8fe09dee05471027de3198325543e661d1a349ea677888d9e1f
                            • Instruction Fuzzy Hash: FA21F971E0024A9FCB05DFA9C8808EFFFF9FF99200B15865AE514E7211E774A956CB90
                            Function 04C8C6C2 Relevance: .1, Instructions: 64COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 88a6921385a23c1efcd42cefb3d17872894faed34bc2edca2d270df707413ac5
                            • Instruction ID: b2781a2569b113aae6dce8e2700ddcb3ae171d4b7faa9773c73fd39d920a0f75
                            • Opcode Fuzzy Hash: 88a6921385a23c1efcd42cefb3d17872894faed34bc2edca2d270df707413ac5
                            • Instruction Fuzzy Hash: A7218B34E05204CFDB49CF66C8409EDBFF6AB8A304F1490A8D445A6321D7756901DB60
                            Function 04C8B778 Relevance: .1, Instructions: 61COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4da73c7b438b858983d342d07caba3eb98cfcb78d0ce8225aa7120259fae94e7
                            • Instruction ID: 3f5c72f2cfdcfa6fffd0d70ba6d15944a66102e65f3fe08ab6f40e532c51721c
                            • Opcode Fuzzy Hash: 4da73c7b438b858983d342d07caba3eb98cfcb78d0ce8225aa7120259fae94e7
                            • Instruction Fuzzy Hash: 3321CAB4E05209CFCB84DF99C1819AEBBF6BF48304F659099E409A7751E730AE40DFA1
                            Function 04C80006 Relevance: .1, Instructions: 60COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: dc0ec1b60312f6ef6998753cb5a1d3568a721f9b865e99d7144d189a59857e87
                            • Instruction ID: 43a306045d354b02d916d5d8aaab578939385d2e87c9beb49d91efc1c31c6a16
                            • Opcode Fuzzy Hash: dc0ec1b60312f6ef6998753cb5a1d3568a721f9b865e99d7144d189a59857e87
                            • Instruction Fuzzy Hash: 4C11A1752047C41FC7034F7858918EA3FB6AF8621070985EAE585CB267C6285D1BEBA5
                            Function 04C824F8 Relevance: .1, Instructions: 59COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0f2091fcaa6b79e6d1433a9c82a11e24dbb662877e5ca51969164a2588888012
                            • Instruction ID: a70ce91de9ede0bc10987df1455ca01d9cfd9674b09decd7c547a7cf3b4c1e34
                            • Opcode Fuzzy Hash: 0f2091fcaa6b79e6d1433a9c82a11e24dbb662877e5ca51969164a2588888012
                            • Instruction Fuzzy Hash: 0C21CC71E1020A9F8B04DFADC9448AFFBF9FF98310B10865AE518E7215E770A956CB90
                            Function 04C8C6F0 Relevance: .1, Instructions: 57COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 435c2daed97765840849a44c2ff78b339f87fdbe5e91428a2ffaf2b5801c08b0
                            • Instruction ID: fd7dffff18c4ce0867e93415927fcf1ca8a757fb380cd0e25b8b9eff1ea2da56
                            • Opcode Fuzzy Hash: 435c2daed97765840849a44c2ff78b339f87fdbe5e91428a2ffaf2b5801c08b0
                            • Instruction Fuzzy Hash: 84112B70E09218DBCB48DF9AC4448EDBBFBBB8E305B14D4A9D409A7251DB71A941DF60
                            Function 04C8B788 Relevance: .1, Instructions: 57COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f8363bb8fd0f53079dfa2a5af644b267c3fe3cfe3505c771c256cb8d5adbebed
                            • Instruction ID: c69cf1cad4ec4d30e6292703074c81844f929fec5ced0532d7ba2a94801dda83
                            • Opcode Fuzzy Hash: f8363bb8fd0f53079dfa2a5af644b267c3fe3cfe3505c771c256cb8d5adbebed
                            • Instruction Fuzzy Hash: 1A21A974E05209DFCB44DF99C1809AEBBF5AF48305F649059D409A7755E730BE40DBA1
                            Function 0087D4BF Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2115394068.000000000087D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0087D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_87d000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                            • Instruction ID: 48f28294029ea447aba3585c9de1ead476a622f7fb078a59fc94889491b6f079
                            • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                            • Instruction Fuzzy Hash: A011DF72404280CFCB02CF10D5C4B16BF71FB98324F24C6A9D8494B25AC336D85ACBA2
                            Function 04C8640C Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e3f95c9ebb9034983037d4bbc2fe021578096b0df179debda9024d25747ef43a
                            • Instruction ID: 280dbf395805deeba38f0110ae756a18d00b087992eecff61c942800e9d735ce
                            • Opcode Fuzzy Hash: e3f95c9ebb9034983037d4bbc2fe021578096b0df179debda9024d25747ef43a
                            • Instruction Fuzzy Hash: BA21D3B59002499FCB10DF9AD988ADFBBF5FB48310F108419E919A7210D379A954CFA5
                            Function 04C849A3 Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 179faa0917bbe6bd95e1d58aa49082322ce1feeaec89e251cbd347f8844a89dd
                            • Instruction ID: 1d44c53c772b4f8a1e528cfbe53d4016c79cc5b08695635b434c03704c63d6e7
                            • Opcode Fuzzy Hash: 179faa0917bbe6bd95e1d58aa49082322ce1feeaec89e251cbd347f8844a89dd
                            • Instruction Fuzzy Hash: 26118275A006165F9B15EF7D98405BFBBB7FFC4264714462CD819D7340EB309E068750
                            Function 04C81BF1 Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cbd38c140b3bdc722e717b16f638c11da478a1a3f7cf9485bcc0479988b89ea3
                            • Instruction ID: dab28d1d5a25ce9735b264e21e81d2129b8c51faf2dc63484049cdf15838a1b1
                            • Opcode Fuzzy Hash: cbd38c140b3bdc722e717b16f638c11da478a1a3f7cf9485bcc0479988b89ea3
                            • Instruction Fuzzy Hash: 97119EB1B002599FCB11DF28D880AEE7BF6FF59310F084469E915C7211DB30DA16CB60
                            Function 04C88350 Relevance: .1, Instructions: 54COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b6b582a8f34e63dc3c1a26f53957c1effaae63541b9a4e6b628f23b134ee8618
                            • Instruction ID: b771f8eafa4140775412a02fe2434518a233ca2fdab8a87565c93b014687e8cb
                            • Opcode Fuzzy Hash: b6b582a8f34e63dc3c1a26f53957c1effaae63541b9a4e6b628f23b134ee8618
                            • Instruction Fuzzy Hash: 0A110AB4D04209DFCB44EFAAC4416EEFBF6FB49304F549469D518A3600E7746A45DF90
                            Function 04C8B827 Relevance: .1, Instructions: 54COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 73bb35d2b2062536f2a3aba4fd03627bc16128d048f0b949188abb36c54fcdb0
                            • Instruction ID: c98c3d6dd5ab9fd600b150199d83c61e0f720f96c640a8f96dc240dc41f72603
                            • Opcode Fuzzy Hash: 73bb35d2b2062536f2a3aba4fd03627bc16128d048f0b949188abb36c54fcdb0
                            • Instruction Fuzzy Hash: EC11E374E09208DFCB44EF9AC141AADBBF6FF49314F1495A9E418A7212E730BE41DB41
                            Function 0088D1CF Relevance: .1, Instructions: 53COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2115549111.000000000088D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0088D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_88d000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                            • Instruction ID: 67b8955e9f0f1562e04ebf8ff9d3afd8814919def3ca7f7680031953972bac23
                            • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                            • Instruction Fuzzy Hash: F511BB75504380DFCB12DF14C6C4B15BBA2FB84314F24C6A9D8498B296C33AE80ACB62
                            Function 0088D017 Relevance: .1, Instructions: 53COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2115549111.000000000088D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0088D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_88d000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                            • Instruction ID: 4f81c59f0d4f3c1477fdc007850ad4693bf157603d40d1dc12f60227eae40922
                            • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                            • Instruction Fuzzy Hash: 2B11BB75504780CFDB12DF14D5C4B15BBA2FB88314F24C6AAD8498B696C33AD80ACBA2
                            Function 04C8BC89 Relevance: .1, Instructions: 52COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 50de8d03924a4c5a0377df722303d9826d34d78497a154f20a8bb3aaf684a846
                            • Instruction ID: e7cce516653511ef8f6d9cb83d499f0bdaff589a76154d0e31e05163ed42b13d
                            • Opcode Fuzzy Hash: 50de8d03924a4c5a0377df722303d9826d34d78497a154f20a8bb3aaf684a846
                            • Instruction Fuzzy Hash: E71104B0D006188BEB18CF9BC9043DEFAF3AFC9304F04C06AD4197A264EB7509458F90
                            Function 04C88360 Relevance: .1, Instructions: 51COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2e365effa087451d00d20078ef65ae9da849f7a31eee7018211979d8daffadf2
                            • Instruction ID: 043ec87018c324c2990d9552492c8e10e4ba30a29be4385efbe630f16f036c47
                            • Opcode Fuzzy Hash: 2e365effa087451d00d20078ef65ae9da849f7a31eee7018211979d8daffadf2
                            • Instruction Fuzzy Hash: E711B7B4E04209DFCB44EFAAC4416AEFBF6EB49304F54A46ED518E3600E7746A41DFA0
                            Function 04C85DE0 Relevance: .1, Instructions: 51COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8be7a955f9b83e6f44a3c0fe8d19bbacdae121be771b31c4fb6c0fc3f2a658cc
                            • Instruction ID: 3f7267d06e7f44821134c00d4056f753e75ff75d72f22c4132eb588380bbd61c
                            • Opcode Fuzzy Hash: 8be7a955f9b83e6f44a3c0fe8d19bbacdae121be771b31c4fb6c0fc3f2a658cc
                            • Instruction Fuzzy Hash: 0101D2B1B002566FCB11EB298D908AFBBF7EFC5218718442ED844D7251D771EE05CBA1
                            Function 04C837C8 Relevance: .0, Instructions: 50COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 771385a6ed3cdf2b90a3aeeb853ab98855bfee97111c90670086523c1d3c3661
                            • Instruction ID: 18777bbd5cc963fbdad9b218d56a1df22df70c4d5b09cb4d32959d50aeb41858
                            • Opcode Fuzzy Hash: 771385a6ed3cdf2b90a3aeeb853ab98855bfee97111c90670086523c1d3c3661
                            • Instruction Fuzzy Hash: 96018471B0021AABDB10FA698D848AFB7FBEFC4658B14483ED905D3200DB71EE05C7A1
                            Function 04C81C00 Relevance: .0, Instructions: 50COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 130103150a3a6e423bc19d8484e3525fd5dc261070f3c1dff920d7bc49698c7b
                            • Instruction ID: 9d0fec4ca338a1757fc56451fa684421b89668474ce7fc023248a1bfa8f91c71
                            • Opcode Fuzzy Hash: 130103150a3a6e423bc19d8484e3525fd5dc261070f3c1dff920d7bc49698c7b
                            • Instruction Fuzzy Hash: 44113C71A002199FCB11DF69D884AAEBBF6FF48710F044429E919D7210DB30EA118B61
                            Function 04C8B838 Relevance: .0, Instructions: 50COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6942e860d498a4bb0df7cae734eae0b486ddad87deff9060c245e37afc9aadd6
                            • Instruction ID: 20d8fb2979f840c24e7eabb6895b0ea8ce51306336dab629ade62b79bbe51fda
                            • Opcode Fuzzy Hash: 6942e860d498a4bb0df7cae734eae0b486ddad87deff9060c245e37afc9aadd6
                            • Instruction Fuzzy Hash: 0811D374E09209DFCB04EF9AC5409ADBBFABB49314F1495A9E418A7216E330BE419B81
                            Function 04C8E05D Relevance: .0, Instructions: 49COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ccbcfe6342cdc4bbd54da27c74f064440e32471e1724e02df910962832727787
                            • Instruction ID: 3d3c3af3157cdc1838eee32a12f400a5c2da93d6b513e7ace8792ad9d675cc1e
                            • Opcode Fuzzy Hash: ccbcfe6342cdc4bbd54da27c74f064440e32471e1724e02df910962832727787
                            • Instruction Fuzzy Hash: 55116774E44384CFCB54EFA5E444AAC7BB6FB49301F20812DD55AAB352E7B4A941CF11
                            Function 04C8BC98 Relevance: .0, Instructions: 49COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e4409134e71a2ac2567cd7fab9db5927b04be0ac45380a58f47462ca98fdf48c
                            • Instruction ID: 75e5349b65c523dc2ba5876081b3ee8a54c720cc166b3d3b413bba6f2e65efe5
                            • Opcode Fuzzy Hash: e4409134e71a2ac2567cd7fab9db5927b04be0ac45380a58f47462ca98fdf48c
                            • Instruction Fuzzy Hash: 0811B0B1E006188BEB18CFABC9447DEFAF7AFC8304F04C46AD51976264EB7519858F90
                            Function 04C82618 Relevance: .0, Instructions: 48COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ed915047ecdf3e5f1e8948357c5c685f922bd039ce6147e8b7396b3860da879f
                            • Instruction ID: 7d5958e0ff7f9542643b22dfc456d738680a2f8efd67570f5acfac246ae32b05
                            • Opcode Fuzzy Hash: ed915047ecdf3e5f1e8948357c5c685f922bd039ce6147e8b7396b3860da879f
                            • Instruction Fuzzy Hash: DE01B1303002004FC719AA79D59497A7BB79FC2318B18C5BED84A8B266CB65ED07CB51
                            Function 04C8BD56 Relevance: .0, Instructions: 47COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a0fa8f8ee10ede1fd6c063d868e2eaeba0c4d338cc2348693b0eb34388bd582e
                            • Instruction ID: 86d98f89c6e1b98918cfb768c1db3b2eaa29456ad74fe6c591a1418a9dbcb83e
                            • Opcode Fuzzy Hash: a0fa8f8ee10ede1fd6c063d868e2eaeba0c4d338cc2348693b0eb34388bd582e
                            • Instruction Fuzzy Hash: F311D3B1E042088BDB08CF9BC8403DEFBF7AFD8304F18D16AD81AAA255EB3519458F50
                            Function 0087D745 Relevance: .0, Instructions: 45COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2115394068.000000000087D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0087D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_87d000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 01fe34479e01b824ee411842a90ec6d8e9c315eff7e6841247a003ca0716860e
                            • Instruction ID: a63cdf1b0c044b18f92fd0a001a7b3a6ee5ee0ff87b2c747294ec1f8cc1da01a
                            • Opcode Fuzzy Hash: 01fe34479e01b824ee411842a90ec6d8e9c315eff7e6841247a003ca0716860e
                            • Instruction Fuzzy Hash: 5D01FC3100434499D7145A19CD84B66BFACFF45364F18C529ED0C4A28AC239D800CA71
                            Function 04C82591 Relevance: .0, Instructions: 45COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0ffe48325d96c953f77ec1167a09a3d32f65a9389bb41d09698d7ef31bc43fdf
                            • Instruction ID: e6b92dc949e1f01ecf2c8e7c145f844cd955fe01102a5b4e389b054bb6457b68
                            • Opcode Fuzzy Hash: 0ffe48325d96c953f77ec1167a09a3d32f65a9389bb41d09698d7ef31bc43fdf
                            • Instruction Fuzzy Hash: F601D4303142008FC724EB29D464E6AB7A6EF81315B54C1BDD84A87365CB75EC06CB50
                            Function 04C82628 Relevance: .0, Instructions: 45COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b986c27dbf7fab3ed31f00b9ae92647792d883b1a4a6e370428e35cf863a580d
                            • Instruction ID: 8da840ffeefb876e8aadf5d0a1ebebbdaa568e9aea05a8cdd8369be5f865c05c
                            • Opcode Fuzzy Hash: b986c27dbf7fab3ed31f00b9ae92647792d883b1a4a6e370428e35cf863a580d
                            • Instruction Fuzzy Hash: 600162303002148FC718BA69D554A2A73EBEFC1314754C5BED80A8B365DF75ED06C795
                            Function 04C85AE0 Relevance: .0, Instructions: 45COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 72648e3fe02218a7cc3cc56fb7b2441c79407e9780d4fa240f51291fdc03f65d
                            • Instruction ID: 2e5634fa6fd45159523ee8b9d7c01881eba2b35e83c1c6bb0081354aa1d827c6
                            • Opcode Fuzzy Hash: 72648e3fe02218a7cc3cc56fb7b2441c79407e9780d4fa240f51291fdc03f65d
                            • Instruction Fuzzy Hash: 2701C2B0D01219EFCB04EFA9C9406AEFBF2FF89305F2095A9D904A3250E7749B45DB90
                            Function 04C8CB08 Relevance: .0, Instructions: 45COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4de3770eec836e69b55cd90380b659e889403658e01e4d12951f25c72e4749c0
                            • Instruction ID: c5789ad2dacea176ae0c02c72ba29cc649895d90085868d1b8df5036cb611982
                            • Opcode Fuzzy Hash: 4de3770eec836e69b55cd90380b659e889403658e01e4d12951f25c72e4749c0
                            • Instruction Fuzzy Hash: D7012D74A09144DFCB04DBB9C694AACBFF5AF8A304F189198D90897262D731AE11EB01
                            Function 04C8E3F9 Relevance: .0, Instructions: 43COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 784db3c570db3e26fb5bbb25a2b893642af5b2a1e2c0576b8877a6986c6f5ae4
                            • Instruction ID: 42bf2ffc90be7ccac769139d7714117d2e22db7b1d9e77b4cf0f258657130dee
                            • Opcode Fuzzy Hash: 784db3c570db3e26fb5bbb25a2b893642af5b2a1e2c0576b8877a6986c6f5ae4
                            • Instruction Fuzzy Hash: EC01DE70906281CFC704EFB8E448AADBFE5EF06318B49D659D494CB222E334A681CB12
                            Function 04C8CA90 Relevance: .0, Instructions: 43COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 92707183759b938495216a55976befe17c4f3a36fc177a5d988580cdd1c97b51
                            • Instruction ID: b3f500dbd8ce6612848589d6e1559262d4265b9bd83b662be7d644cba49f2a7b
                            • Opcode Fuzzy Hash: 92707183759b938495216a55976befe17c4f3a36fc177a5d988580cdd1c97b51
                            • Instruction Fuzzy Hash: 4B01A270A4D204DFC704DF5AC040AFDBBBAAF49304F08A1B9E4045B212E731AB50EB90
                            Function 04C8E111 Relevance: .0, Instructions: 42COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 22fd9d49a1a5e1000ba5df3a711b29a2c82e3cace129c8fe7fdee6666a87d812
                            • Instruction ID: 1ced390485448d4e4eba977da6b0499a639915ac017258627d27e8b8e47fe753
                            • Opcode Fuzzy Hash: 22fd9d49a1a5e1000ba5df3a711b29a2c82e3cace129c8fe7fdee6666a87d812
                            • Instruction Fuzzy Hash: 29112870A05224CFDB549F24D954B9DB7B7FB49204F008599DA0AEB344D7B49E85CF01
                            Function 04C825A0 Relevance: .0, Instructions: 41COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0448e4e77e1e3b6f4b5458e3a93db716ade0d80d6b3a850d476aca151b34edae
                            • Instruction ID: 1ddb3f967c48ac778fb438bcb0129f99803382f9b3c02f71444af92c7ce91c79
                            • Opcode Fuzzy Hash: 0448e4e77e1e3b6f4b5458e3a93db716ade0d80d6b3a850d476aca151b34edae
                            • Instruction Fuzzy Hash: 000181303002008FC728EB69D464E1AB3EAEF85315B54C5BDD809C7364DBB5ED02CB91
                            Function 04C8BD81 Relevance: .0, Instructions: 41COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 88cb6c5ab299eab680e61bcee27665c0fcdb8dcc62f6901e2a0f169447e1ecf2
                            • Instruction ID: f022623b9f02108ecf0e13d794550bae0003b709472c071c4682736fe4786e4b
                            • Opcode Fuzzy Hash: 88cb6c5ab299eab680e61bcee27665c0fcdb8dcc62f6901e2a0f169447e1ecf2
                            • Instruction Fuzzy Hash: D6117474D04358CFCB54CFA5D944AACBBB6FB09341F50949AE40AA7361D731AD81CF00
                            Function 04C8CB18 Relevance: .0, Instructions: 41COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e866292b78591f1c8aa30c964c7c03272583c4b71111c191c833081fa332a8b1
                            • Instruction ID: bc877998d3e826510711738894ef490a3a589cf16debd2e245638cc6a3392d04
                            • Opcode Fuzzy Hash: e866292b78591f1c8aa30c964c7c03272583c4b71111c191c833081fa332a8b1
                            • Instruction Fuzzy Hash: 21012834A04108DFCB04EFA9C684AADBBF6AF89304F18D198990897362D730EE50EB51
                            Function 04C8D899 Relevance: .0, Instructions: 40COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6a8082a1748c14a0d5a82078065d5103e70860c135fe3a032c8508dc3c932333
                            • Instruction ID: d1556b9c201b0660a95c62b4bba09232ad7f4b3d17b7723347eea511dc90fe6c
                            • Opcode Fuzzy Hash: 6a8082a1748c14a0d5a82078065d5103e70860c135fe3a032c8508dc3c932333
                            • Instruction Fuzzy Hash: BB110574D00249EFCB40DFA8C585AAEBFF1BF08310F10819AE954A7291D734AA90DBA0
                            Function 04C874E9 Relevance: .0, Instructions: 39COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e7f01196e3864e872a5dbd6e51156df995ae6892a1157e5faf91185293b0ce11
                            • Instruction ID: 79981e423394b499294645d05f0acf86431f218326993e36639ee1258e3af881
                            • Opcode Fuzzy Hash: e7f01196e3864e872a5dbd6e51156df995ae6892a1157e5faf91185293b0ce11
                            • Instruction Fuzzy Hash: 4FF0FC72A04144AFDF15DF64DC519DD7FB6DF4521871480AEE444DB262EB319902D750
                            Function 04C80688 Relevance: .0, Instructions: 39COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 50b1cfa3826a639824a797fe4ef673c7a3b421b9826cfb21d86293977968bf4b
                            • Instruction ID: 50d55ab942d032d5166a732af57a099b86af34742666356e499827f288e87524
                            • Opcode Fuzzy Hash: 50b1cfa3826a639824a797fe4ef673c7a3b421b9826cfb21d86293977968bf4b
                            • Instruction Fuzzy Hash: 48F0C235B042405FCB1A9BB9A4645AE7FB6EFC5314B0588ADD089CB351CE39AC46CB81
                            Function 04C8E198 Relevance: .0, Instructions: 39COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b4072a58617e4b3f791c52241ac89e71e28a6f73a731acc040cc52ff2d805a08
                            • Instruction ID: 693e1e7d9ecb0a9457e2aa6c9cab01a1a00a776eb1c3c32bff047473312b4bba
                            • Opcode Fuzzy Hash: b4072a58617e4b3f791c52241ac89e71e28a6f73a731acc040cc52ff2d805a08
                            • Instruction Fuzzy Hash: 24116D34906245CFCB44EFA8E048A5DBBB6FB05315B10C518D409DB365D774A984CF50
                            Function 04C8CAA0 Relevance: .0, Instructions: 39COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d69114142edb0dea54746135d85922a9941fa5b8e7d3edf7247dd0d508596e20
                            • Instruction ID: 8ecb2a1cf5d2b3ca8072d4a149c2b3fb30522476277b7523eedad017654754f7
                            • Opcode Fuzzy Hash: d69114142edb0dea54746135d85922a9941fa5b8e7d3edf7247dd0d508596e20
                            • Instruction Fuzzy Hash: FDF04470A4D108DBC704EF56C5409FDBBBEAF59309F08E5B9940957256E730AA44EBA0
                            Function 04C84FA8 Relevance: .0, Instructions: 37COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3519bdf0b176dd7759784767b904a7c879408deddd8676deb15360da0387a1e9
                            • Instruction ID: 89b83e1bf5e635273a6ff1053d121f834743cb8519fff398af2c32ce24c74707
                            • Opcode Fuzzy Hash: 3519bdf0b176dd7759784767b904a7c879408deddd8676deb15360da0387a1e9
                            • Instruction Fuzzy Hash: BAF0B4727041549FD3048B7E98A4CBBBFE9EFCD26031540AAE448CB352D9318C06C760
                            Function 04C8D8A8 Relevance: .0, Instructions: 37COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9e8ab931ae91175f106657633f6a293bea98e70e653cd03425a7a2f652f9eee7
                            • Instruction ID: a07cf02f122a37fc6b4193b40f9b3a7b54833428de5d197db4bdaea7d30b9dd3
                            • Opcode Fuzzy Hash: 9e8ab931ae91175f106657633f6a293bea98e70e653cd03425a7a2f652f9eee7
                            • Instruction Fuzzy Hash: 8801A574D002499FCB40EFA8C545AAEBFF5BB08311F50859AE954E7381D734AA90DBA1
                            Function 0087D744 Relevance: .0, Instructions: 36COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2115394068.000000000087D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0087D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_87d000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3c1ddf0e1e49d36a8319e007b919ab9a28dcf6ae2ece1bdc86a196ba74ce0e18
                            • Instruction ID: b92065047db56d7948e0667797be644ed2171e264a725c754b2dcbbb0f5ce0e8
                            • Opcode Fuzzy Hash: 3c1ddf0e1e49d36a8319e007b919ab9a28dcf6ae2ece1bdc86a196ba74ce0e18
                            • Instruction Fuzzy Hash: 96F0C2710043449AE7148E1AC888B62FFA8EF95774F18C45AED0C4B28AC2799C40CAB0
                            Function 04C80040 Relevance: .0, Instructions: 36COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 54b8dbaba9c502129d10d02b36be928374dea522521e4d81634b1f7268accb14
                            • Instruction ID: 16897757e36d6ec7b0b64fa171d67a7a2b55a5a214d5cc25eabd3220ddf55f1b
                            • Opcode Fuzzy Hash: 54b8dbaba9c502129d10d02b36be928374dea522521e4d81634b1f7268accb14
                            • Instruction Fuzzy Hash: 27F0B4367002582BCB155E699C40CBF3E9B9BC8310B04842AFA1AC7251CA358856DBA4
                            Function 04C84F0F Relevance: .0, Instructions: 36COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a01a9aebde3b385580dcc6aeec6c2ab74333f088c4e8f88d36d6e4d7745ea6a4
                            • Instruction ID: e5de7699ecafbd34c3db2762c6bf2812a32d8662a980692ea41e7fa8bf550b68
                            • Opcode Fuzzy Hash: a01a9aebde3b385580dcc6aeec6c2ab74333f088c4e8f88d36d6e4d7745ea6a4
                            • Instruction Fuzzy Hash: EC011E7090025ADFDB15DFAAC4043EDBBF2AF49354F14826DE814AB291E7746A41CF94
                            Function 04C87510 Relevance: .0, Instructions: 34COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1d09786d7c1fd855514b7d684dc34c7e8c539a3725c594cc2bf42f7915f7647d
                            • Instruction ID: ee80d7c14dc12ec085b3b1da1f9d8603890f5d406c9405c486efae67741a7bfa
                            • Opcode Fuzzy Hash: 1d09786d7c1fd855514b7d684dc34c7e8c539a3725c594cc2bf42f7915f7647d
                            • Instruction Fuzzy Hash: 26F0E972604208BFDF09EF54EC4198E7FBAEF44214B14C0AEE404DB221E731DA11DB90
                            Function 04C84F18 Relevance: .0, Instructions: 34COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5ee333b20a5811fd8c9c78558c5f21adb830b59e14f08021013ca145303cab32
                            • Instruction ID: bf7c3cc3c67be4ab138cac205181fe2e2e3c72702d768a4a5c0f446ed477b967
                            • Opcode Fuzzy Hash: 5ee333b20a5811fd8c9c78558c5f21adb830b59e14f08021013ca145303cab32
                            • Instruction Fuzzy Hash: 8701FF7080021ADFDB14DF9AC4043AEBAF2FF49354F14822DE414AB191E7746A41CF94
                            Function 04C80698 Relevance: .0, Instructions: 33COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4b7a384f0bfddf10a3db64aa0ff99366946f63661dd269f4f5fdf6a91701aa78
                            • Instruction ID: 0855ca7deaed0fc2397dd6d82b03a251c16d98de82485f0cb23029ae1886f198
                            • Opcode Fuzzy Hash: 4b7a384f0bfddf10a3db64aa0ff99366946f63661dd269f4f5fdf6a91701aa78
                            • Instruction Fuzzy Hash: 2AF05E35B402149FCB18AB6AA45496E77AAEBC4325B00882DE14A8B340CE39AD45CB95
                            Function 04C826A8 Relevance: .0, Instructions: 33COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 749318b4b14ebedc71b449244deeaf06937d9d637d952f891a8e7f39fe5c6aca
                            • Instruction ID: aaaa83f24efa283fdd882c58ea9d470b6c908845b306e70f4e5e49e9ea6739c2
                            • Opcode Fuzzy Hash: 749318b4b14ebedc71b449244deeaf06937d9d637d952f891a8e7f39fe5c6aca
                            • Instruction Fuzzy Hash: 23F04472D102498FDBA0EF78C8457ACBFB1EB05304F1485BAD458D7292E6398A0A8B80
                            Function 04C8A916 Relevance: .0, Instructions: 33COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e3b8e03a22fe3096cf4fc8c155d26536d5906150b63ce35431836115f4313def
                            • Instruction ID: 3271916dffd49a5a071e2fbd8f0d89f7ca500b0987eb9d89522c36811f35ed3e
                            • Opcode Fuzzy Hash: e3b8e03a22fe3096cf4fc8c155d26536d5906150b63ce35431836115f4313def
                            • Instruction Fuzzy Hash: 9CF0BB34A0A7448BCB55EB19C9806ECB7BFAF89318F04A5BEC00997126D7323548DF11
                            Function 04C84FB8 Relevance: .0, Instructions: 32COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2d1d536b9bbcbdda650d57307b7a76beeb6ec92a15c71cd6c60e72b41f005533
                            • Instruction ID: 27f9e260adf88499d5dc2a89c75c13fb3aba54a12825386c962d6491db9d9bb1
                            • Opcode Fuzzy Hash: 2d1d536b9bbcbdda650d57307b7a76beeb6ec92a15c71cd6c60e72b41f005533
                            • Instruction Fuzzy Hash: 15E039727001286F93049AAED884C6BBBEDFBCC660361807AF508C7311DA319C0186A0
                            Function 04C8F4AF Relevance: .0, Instructions: 31COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 606f63253505b49c5034cb6fd078440f16363b805843ea78e2551c083dceb049
                            • Instruction ID: 9faf1d3fc21050df07a7ed840dec940d9d9a177d7b00299a22124c0567985b4c
                            • Opcode Fuzzy Hash: 606f63253505b49c5034cb6fd078440f16363b805843ea78e2551c083dceb049
                            • Instruction Fuzzy Hash: 3EF06D30E04248EFCB52DFA8D94458DBFB5EF49301F1081EAE89497391D6349A54DB52
                            Function 04C826B8 Relevance: .0, Instructions: 31COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: adc987695d60f16e1ccb9634ea3f0078880715c98e4304b41a7711b750296768
                            • Instruction ID: 73d5d07de42c8305548f8a4d89495ec4f0dae1933d1745047138e9b4f2152d97
                            • Opcode Fuzzy Hash: adc987695d60f16e1ccb9634ea3f0078880715c98e4304b41a7711b750296768
                            • Instruction Fuzzy Hash: 9AF03A72D102098FDB90DFB8C9457ACBBF0EB04305F0485BAD818D7241E6389A159B81
                            Function 04C81AE0 Relevance: .0, Instructions: 31COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bf8010247bd388f73c5cdb80faa1380834271a72a3cc809ccb77502a6cf902a8
                            • Instruction ID: 02d07a826d2f527a0f7020cc48ce28da0a15c6f774e6a9fc03eef674d74f1c6f
                            • Opcode Fuzzy Hash: bf8010247bd388f73c5cdb80faa1380834271a72a3cc809ccb77502a6cf902a8
                            • Instruction Fuzzy Hash: 96F03A7654D2C06FCB035B7488655D87F71DF6320870980DED5C08F463D226691BDB51
                            Function 04C8E008 Relevance: .0, Instructions: 30COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 39e6a45d1b046bc402aa08f8c53ccbdd0b83adb7c09218ee3351980f6ff69af8
                            • Instruction ID: eaaa37ac3d973c0fe15f0d46fc6c3a2a7448ab311a722bd710f62ee56cd9ed42
                            • Opcode Fuzzy Hash: 39e6a45d1b046bc402aa08f8c53ccbdd0b83adb7c09218ee3351980f6ff69af8
                            • Instruction Fuzzy Hash: A5F09E30A091408FE705BBA4C8043DD7F7BAF49308F0484B9C04593256FFB02D89C311
                            Function 04C80CE1 Relevance: .0, Instructions: 28COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 54d0e146bbf49c74079f14fe152dfe11647dc9a3dec05b91e9fe29e943f0eac4
                            • Instruction ID: 092a4c97b412897adbbea59d1c4902322cc49bc37540b1cde4dc46f8148b5cf0
                            • Opcode Fuzzy Hash: 54d0e146bbf49c74079f14fe152dfe11647dc9a3dec05b91e9fe29e943f0eac4
                            • Instruction Fuzzy Hash: 10E09B313097800FC305976CA9514CFFFB6DDC6210308C9ABD0948B126CA50EC4B97D5
                            Function 04C8A98A Relevance: .0, Instructions: 28COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 273f139bc768c9c8f6dd7abdfd1d93027c64784b6abe4a155e08ac6906736e18
                            • Instruction ID: 2907541ec943131ba5966e67a29bfb67252e08f89072a02f08750a359ff54660
                            • Opcode Fuzzy Hash: 273f139bc768c9c8f6dd7abdfd1d93027c64784b6abe4a155e08ac6906736e18
                            • Instruction Fuzzy Hash: 49F0E930A062048FCB44AB68C5846ECBB7BEF49218B14A6BEC01A97074CB323984DF01
                            Function 04C8E018 Relevance: .0, Instructions: 27COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: dd5eba0eb03a2aa7e0b7ba68a6998359da6306a17d4e358d5ffed72fa1a2dd2f
                            • Instruction ID: ba75d56e75a58093712db2c0161802ea702aba841ecbe1082b1ca3267fa64030
                            • Opcode Fuzzy Hash: dd5eba0eb03a2aa7e0b7ba68a6998359da6306a17d4e358d5ffed72fa1a2dd2f
                            • Instruction Fuzzy Hash: 47F0E5306091088FDB45BBAAC4047AD7B7FAB85309F049439C10992256FFB46989D751
                            Function 04C828B8 Relevance: .0, Instructions: 27COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c1fdcbe5e74bdf851208d748f9b6f5f1d0147298da547a722158d383dabb4c23
                            • Instruction ID: 61af854772cdb51fafaf7767343c8e95adfe6cb534544b9111df1a33935207c5
                            • Opcode Fuzzy Hash: c1fdcbe5e74bdf851208d748f9b6f5f1d0147298da547a722158d383dabb4c23
                            • Instruction Fuzzy Hash: 6FE06533A80628C78710DF48F44147973A9E745A697188496E50CCA510E223DC6BD794
                            Function 04C87120 Relevance: .0, Instructions: 26COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ec02468a2db2523833abce1dd7ca3c6c31cbf7b2406d233b9f110c87b441ab6d
                            • Instruction ID: 435b8e532b9e10d370470f0c09576b18a7d353da718224dcf7322094d5c0ecf3
                            • Opcode Fuzzy Hash: ec02468a2db2523833abce1dd7ca3c6c31cbf7b2406d233b9f110c87b441ab6d
                            • Instruction Fuzzy Hash: B1F03078D59208EFCB94EFA4D4062EDBBB6EF49301F10D4AADD4892750E7348AA4DF41
                            Function 04C8C3B9 Relevance: .0, Instructions: 25COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 24598b92f25f839e544df4fc979b34fb6039730799f0a12b06964d0890de6ee3
                            • Instruction ID: 5b3a9101cd5c31e265226887580e21170dec6808db39b7a6799303960ac680a2
                            • Opcode Fuzzy Hash: 24598b92f25f839e544df4fc979b34fb6039730799f0a12b06964d0890de6ee3
                            • Instruction Fuzzy Hash: B1F0E531A08114CFCF009F20E4485AC7739FF4A302B0024EAD50F9B222C3329890EF60
                            Function 04C87DF0 Relevance: .0, Instructions: 25COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ca7247f3d6794a1f7cebddd6cb6e935a0b30bd9f15c7fc42f48eec69013e7254
                            • Instruction ID: bd9a6599e581aabbfa0c19a96193dc1c656ab26ab55c2b8fe2405ce7d295671b
                            • Opcode Fuzzy Hash: ca7247f3d6794a1f7cebddd6cb6e935a0b30bd9f15c7fc42f48eec69013e7254
                            • Instruction Fuzzy Hash: 60F06D70D4A208EFCB80EFA8D9056ADFBB5EB09300F1094AEDD0493351E7345A55DF81
                            Function 04C86F58 Relevance: .0, Instructions: 25COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 66c7df68ad76d06c159320a074a247829260c2c3c1316bbbb03a94e38a5025e1
                            • Instruction ID: 15134c6ccf4a1a123c08f939b41eaff4c7217229dd1b3fe0bdb9521d4df02a21
                            • Opcode Fuzzy Hash: 66c7df68ad76d06c159320a074a247829260c2c3c1316bbbb03a94e38a5025e1
                            • Instruction Fuzzy Hash: 05F015B0E492489FCB51DFB8E5556ACBFB1EB4A304F0480EACD04E3302E6344A65DF41
                            Function 04C88578 Relevance: .0, Instructions: 24COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 20ce69daf3e673753a604d707caada7ac248614ae4e76e0518344c01278492f4
                            • Instruction ID: 6db52c71b0016a3a90da467dd55e8c08966f35c0b3fca375d3b344e5b5479748
                            • Opcode Fuzzy Hash: 20ce69daf3e673753a604d707caada7ac248614ae4e76e0518344c01278492f4
                            • Instruction Fuzzy Hash: D7F06D30966209DFC780EFA8D945B9CBBF5EF09709F2040E9ED0497721E7309A60DB60
                            Function 04C840D8 Relevance: .0, Instructions: 24COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9ce7518198e6048bcbc1697ce1baaaf187903c0179bcc0f3f06db623877c490f
                            • Instruction ID: ade43d37b8172e9916e4de72f21c26da5a35b1b0dda914b2206c2be53895c6c0
                            • Opcode Fuzzy Hash: 9ce7518198e6048bcbc1697ce1baaaf187903c0179bcc0f3f06db623877c490f
                            • Instruction Fuzzy Hash: F6E04F353041905FCB1546ADA4558E97FB98ECB62131540EAE189C7222D9515C07CB50
                            Function 04C8F4C0 Relevance: .0, Instructions: 23COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e9491529cc42393337df63b0ee3460d1e4b6758099c6835e485296a8010bf4b0
                            • Instruction ID: 2bbe9659c78ed2ef6ff0ae6f1aca0d1a3a7ec8816a7d86bec19b84ba51dbdc26
                            • Opcode Fuzzy Hash: e9491529cc42393337df63b0ee3460d1e4b6758099c6835e485296a8010bf4b0
                            • Instruction Fuzzy Hash: 42F03974D0020CEFCF44EFA8D50468DBFB1EB88301F00C0AAE908A3350E671AA54DF42
                            Function 04C869C8 Relevance: .0, Instructions: 23COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4ecab2541fe098c33717f19b3da687741058cca21b572a395e3058db552e415e
                            • Instruction ID: 954faf153014432952568f9c6d5d00b35a589219dc67f92ff2fc057cdcd1b39c
                            • Opcode Fuzzy Hash: 4ecab2541fe098c33717f19b3da687741058cca21b572a395e3058db552e415e
                            • Instruction Fuzzy Hash: 85E0DF70949208DFCF15DF94E802BECBF72EB06311F1081AAE90017290C7300AA4EBA0
                            Function 04C86BE9 Relevance: .0, Instructions: 23COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 657e04ed41d49a935c7adef9495ec493c09302c982d624eafcfc57e29e2a2b73
                            • Instruction ID: a495c297d7ec5f8a1e77a8aa243c7ddbcc640edc7cbfaa31c38f66a773e591a6
                            • Opcode Fuzzy Hash: 657e04ed41d49a935c7adef9495ec493c09302c982d624eafcfc57e29e2a2b73
                            • Instruction Fuzzy Hash: D9E0C27294E208AFD312EA69C8515DABB7AEB07208F05449AC14943263FE306E12C792
                            Function 04C8C57E Relevance: .0, Instructions: 22COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 053d302c1ae1747f2120891d22bc64557037368ccf69c29a6ab1b779592e12f9
                            • Instruction ID: af5a29663a2b2da058a7371ab50ffdcd44fde0f5c8e1f2f222a714dc09d22199
                            • Opcode Fuzzy Hash: 053d302c1ae1747f2120891d22bc64557037368ccf69c29a6ab1b779592e12f9
                            • Instruction Fuzzy Hash: 4AE0DF32A4D258EBCF009B29E0541A8BB74FF47249B4024EAD51B9B123E7321950EB62
                            Function 04C87130 Relevance: .0, Instructions: 22COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 074c0d98a1dae3c192070bcdd3b3cf8bebfc82c55795e19068aa11eb47d03e40
                            • Instruction ID: 3a9d952aae34b88c4f752965be44887cbf9c2d13bf00ce7a9d22125b0d53efe2
                            • Opcode Fuzzy Hash: 074c0d98a1dae3c192070bcdd3b3cf8bebfc82c55795e19068aa11eb47d03e40
                            • Instruction Fuzzy Hash: F6E01A74D5520CEFCB94EFA9D8056ADFBB6EB49301F10D1AA9D1893310E7305AA0EF80
                            Function 04C8A3C0 Relevance: .0, Instructions: 22COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1b6458a92ca2b7a35e3b503c45cf36ffea155737483811d7ac2e6a780a4a36e5
                            • Instruction ID: 867927b8001b6bcb54845c6cdd462d5c54260a679d92c05aa707d14f31255153
                            • Opcode Fuzzy Hash: 1b6458a92ca2b7a35e3b503c45cf36ffea155737483811d7ac2e6a780a4a36e5
                            • Instruction Fuzzy Hash: DDE0E574D05208EFCB44EFA9D44069DBBB6AB48305F50C4AAD908A2350E676AA61EF81
                            Function 04C8A3BA Relevance: .0, Instructions: 22COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c2fb65bd5f369b82e6fa20410ed6dd8659fc1e8524fef38b52c4f47bd6209857
                            • Instruction ID: 40f39b1dbcd47d00a0eecfd000c63a905a88086b484a7d6fc5b5574aee39b667
                            • Opcode Fuzzy Hash: c2fb65bd5f369b82e6fa20410ed6dd8659fc1e8524fef38b52c4f47bd6209857
                            • Instruction Fuzzy Hash: 4FF0ED74D09208EFCB44EFA8D14569DFBB5EB48305F10C4AED904A2750E7769A61EF81
                            Function 04C82900 Relevance: .0, Instructions: 22COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c8fbb044950754146a93defa0551a0d9672a7070202f4072a469883fc2d78a5a
                            • Instruction ID: d482d1159c484341b32421d4f4ceb821ec9885fe82362c6327619cc6cc2c762d
                            • Opcode Fuzzy Hash: c8fbb044950754146a93defa0551a0d9672a7070202f4072a469883fc2d78a5a
                            • Instruction Fuzzy Hash: 49E0DF32D082908FD714BA6CE4486A837AAE701334FAA80ADD58993201C2B9EC428B90
                            Function 04C87E00 Relevance: .0, Instructions: 21COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3ed87fecf40fc57b7ffb656533710293a07d676ff3f4ff86d571f844734de79a
                            • Instruction ID: df6446d78697a08c2d0a1ef2fa9001d6c9e2bf3dc68a369fdde9f392cdddd62d
                            • Opcode Fuzzy Hash: 3ed87fecf40fc57b7ffb656533710293a07d676ff3f4ff86d571f844734de79a
                            • Instruction Fuzzy Hash: 44E01A70D56208EFCB80EFA9D4046ACFBF5AB48305F1095AA9918A3310E6305A50DF81
                            Function 04C86F68 Relevance: .0, Instructions: 21COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 630f45e86aa2fe7cba5334f3a075d7238fc92a950dd7a2aedc0d299a86bb4f24
                            • Instruction ID: 754a64db178de7958878f0c061e454e35429f509e55b42c6a0934a4d03dadb9d
                            • Opcode Fuzzy Hash: 630f45e86aa2fe7cba5334f3a075d7238fc92a950dd7a2aedc0d299a86bb4f24
                            • Instruction Fuzzy Hash: 3CE01A70E45208EFCB40EFA9D4046ACBBF5EB49304F0090A99908A3301E6305A50DF40
                            Function 04C88588 Relevance: .0, Instructions: 20COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9fe53272b40c4fdca85fe083bfccab08a4c47e0bd4ea69450ae86427cfd0a5b8
                            • Instruction ID: aa6c77313f20bac0b529c14c82e1f7d24d315729024feef58e40ef055c964040
                            • Opcode Fuzzy Hash: 9fe53272b40c4fdca85fe083bfccab08a4c47e0bd4ea69450ae86427cfd0a5b8
                            • Instruction Fuzzy Hash: 8CE04F74964108DFC780EFA8C484A9CBBF5EF08715F5040E9D90897721E630AA50CB51
                            Function 04C88310 Relevance: .0, Instructions: 20COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f538ba5d9b01d2dcad269612aec865f117691748e4185c5cb3144da4ecc55be2
                            • Instruction ID: 629c19043aca4fbf6afdf62a07f1b1086a595684568c6e7c8b7d9d427c5d261d
                            • Opcode Fuzzy Hash: f538ba5d9b01d2dcad269612aec865f117691748e4185c5cb3144da4ecc55be2
                            • Instruction Fuzzy Hash: A8E04F70D99208DFCB80EFA8E50529CBBB0AB05305F2054ADDA0493600E7305A60DB41
                            Function 04C883F9 Relevance: .0, Instructions: 19COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5e5d4082d5d2b74033d31d6a1b97dcc5916b54aa170aa936b403b7465ae6897d
                            • Instruction ID: f67d4d2a25c1014cad0eafb4b96574b3e840006236532485d6077a7f2c1300a0
                            • Opcode Fuzzy Hash: 5e5d4082d5d2b74033d31d6a1b97dcc5916b54aa170aa936b403b7465ae6897d
                            • Instruction Fuzzy Hash: 10E02B3044A30CDFCB50EB90E602B6A7B7CEB43349F11249CA50413522D7315D60EF70
                            Function 04C88318 Relevance: .0, Instructions: 19COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f23f19d756e72fa5076395d08b7fcb2463bae0ae06a402d7e8951cdd690c005e
                            • Instruction ID: f5007d1cb2e9b4204e36c0b9db9d02ebf2766b728879ad535359a82925654f4e
                            • Opcode Fuzzy Hash: f23f19d756e72fa5076395d08b7fcb2463bae0ae06a402d7e8951cdd690c005e
                            • Instruction Fuzzy Hash: 8AE01270D9520CDFCB80FFB8E4456ACBBF5AB09309F5054A9DA0893750E7705AA0DB51
                            Function 04C8BF2D Relevance: .0, Instructions: 19COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 276bbf4a4ccf876ae6a1979b2c26a0148bdbb88236a33bfaf43296ee4a7ee21f
                            • Instruction ID: e90e27921da7b1b602a663f9aebf4cc14a07b9ec6d34093ac41d4c59920e4901
                            • Opcode Fuzzy Hash: 276bbf4a4ccf876ae6a1979b2c26a0148bdbb88236a33bfaf43296ee4a7ee21f
                            • Instruction Fuzzy Hash: 1CE09230508250CFEB00DF28C4848AC7F35FF06304F0498D9D4062B116E730B980CF11
                            Function 04C869D8 Relevance: .0, Instructions: 19COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 01927d5061146acc1a725c2d7314ffe9f66de437f035b12e459be3183ee75ea4
                            • Instruction ID: 36a130b5d4ebcf5e425e208a0b94cb5e932b2d052a88561ecd9b0151ac3db244
                            • Opcode Fuzzy Hash: 01927d5061146acc1a725c2d7314ffe9f66de437f035b12e459be3183ee75ea4
                            • Instruction Fuzzy Hash: A0E0C230D4520CEFCB04EF94E805AECBFBAEB0A311F009169DA0413390D7301AA0EB91
                            Function 04C840E8 Relevance: .0, Instructions: 18COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0b1ac321a26f7e127ccb20007107be2cea1a804e1382e7df0dc54b2e82193026
                            • Instruction ID: e9aad00d6531015af36eb6165724e6469c1e032384b017c75377068df71d6e32
                            • Opcode Fuzzy Hash: 0b1ac321a26f7e127ccb20007107be2cea1a804e1382e7df0dc54b2e82193026
                            • Instruction Fuzzy Hash: DFD0C7367505245F8B44965EE404C9A77EDDFCDA31311407AF20DC7331DE61DC428794
                            Function 04C8E171 Relevance: .0, Instructions: 18COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 16f3d749ffe41896d4665036e505c4954ba4ba45464b75ea6b962ccb266f104e
                            • Instruction ID: 6ad6fc04ee006e9f8635797cb3010cf96b784cbd6a79916e465e12212d3c2858
                            • Opcode Fuzzy Hash: 16f3d749ffe41896d4665036e505c4954ba4ba45464b75ea6b962ccb266f104e
                            • Instruction Fuzzy Hash: D4E04F70A45205CFCB48EF98E544A9C7B7FFF553047049614801ACB619E7F46C09CB11
                            Function 04C8C4F8 Relevance: .0, Instructions: 16COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 617be624881d7c37ae34abda524a380877088c26766b163ef84eaef528e0a9ba
                            • Instruction ID: 835a000d607f0b3006b35b473217edafa230811f6771d7197e4aa4a5d7ef168a
                            • Opcode Fuzzy Hash: 617be624881d7c37ae34abda524a380877088c26766b163ef84eaef528e0a9ba
                            • Instruction Fuzzy Hash: 57D0A736E46208CFCB009B54E4045DC7738FF46215B0010DBD51783123C3315950DB10
                            Function 04C88408 Relevance: .0, Instructions: 16COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 86b5c4b289f3a1795baf774c56ed2594d2f1446dfc96cc7659812d44ac2e9795
                            • Instruction ID: 268b2a0d3da56caa4ae883f2c8c517a5112b87ad22db3e5371853e397d993fad
                            • Opcode Fuzzy Hash: 86b5c4b289f3a1795baf774c56ed2594d2f1446dfc96cc7659812d44ac2e9795
                            • Instruction Fuzzy Hash: 4BD0A77088A108DBCB40EA55D5056AD776D9746209F40246C950853612D7715D50EB60
                            Function 04C86BF8 Relevance: .0, Instructions: 16COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7c0d4e2dbbb5265bc4c94689c6ebd0c20c378c400f070c87b45e12cd169688e2
                            • Instruction ID: f941f39aa7c9ec040875053c09c39bdb41aff320155945be6b0008ec7c32650a
                            • Opcode Fuzzy Hash: 7c0d4e2dbbb5265bc4c94689c6ebd0c20c378c400f070c87b45e12cd169688e2
                            • Instruction Fuzzy Hash: 8AD02230A8A10CDFC740EAA9C400AADB3AED702208F00189C860913262EE713E50DB86
                            Function 04C84890 Relevance: .0, Instructions: 12COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e48070930e743303b0119a86f0fecde5171b707aa5577b3cd677f6070f93788e
                            • Instruction ID: 0a272e7d85a61040bd1ffda1bf2b11528769997a20ded2442836e4c91b18e645
                            • Opcode Fuzzy Hash: e48070930e743303b0119a86f0fecde5171b707aa5577b3cd677f6070f93788e
                            • Instruction Fuzzy Hash: DCD0CA660491C08FD303A3A0482A895BFB1AE1720C35980EEC8C10B133D502A42BEB52
                            Function 04C83491 Relevance: .0, Instructions: 10COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 96f39a27138e5f6ae868c16a9f75040d695af58b6fa066316265a0d353a1796d
                            • Instruction ID: 9cf904bd60e3bf9d0e38dd6ab9ef57cef0c3d9b87cb1b2368136228af36e06b7
                            • Opcode Fuzzy Hash: 96f39a27138e5f6ae868c16a9f75040d695af58b6fa066316265a0d353a1796d
                            • Instruction Fuzzy Hash: 91C0CC3A000280CEC20ABB208800C08FFE2FFA230830888A280880A032E320C00CFB02
                            Function 04C8A410 Relevance: .0, Instructions: 10COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ca8afe1812f49a272a04d6afb38010fd3b65d8ee4deca5adc82bbe3bc9488952
                            • Instruction ID: bdb3b8406292b995c24c6095504d34ba7a31e0e5b925e344b23eb328def74f92
                            • Opcode Fuzzy Hash: ca8afe1812f49a272a04d6afb38010fd3b65d8ee4deca5adc82bbe3bc9488952
                            • Instruction Fuzzy Hash: 41C08C30C822048BCB402798B80C3283BA9674130BF402454E609004619AA2B4A4C6A1
                            Function 04C81B10 Relevance: .0, Instructions: 10COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2504a60d74c69f92a127765379228461db828cb860faf1b14140a545f752d46f
                            • Instruction ID: 865bc1c1511319ce8928b76657791b316a61cbfe76ea0ffe6806bd8ad35f2d98
                            • Opcode Fuzzy Hash: 2504a60d74c69f92a127765379228461db828cb860faf1b14140a545f752d46f
                            • Instruction Fuzzy Hash: 16C01232040108BBCB026A80C800E09BF2AAB54390F248018F7040D061E273D622AB80
                            Function 04C8A412 Relevance: .0, Instructions: 9COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 65b1a674740c454e7adaf28478d87e264e91e121b4bc1c86de276fee826e0b7a
                            • Instruction ID: dea267118e76763e5044d39fc330721ca4508d42c4415fe9ca4ab788151d03b2
                            • Opcode Fuzzy Hash: 65b1a674740c454e7adaf28478d87e264e91e121b4bc1c86de276fee826e0b7a
                            • Instruction Fuzzy Hash: 7BC09B30CC11109FCB55679CF80C35C3F65775131BF006555E5094045197B3A4E4D651
                            Function 04C863EC Relevance: .0, Instructions: 8COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1de599c4e167ff9fea68a3efb373a26aeacd15260ff50452a6087f0fddb2da35
                            • Instruction ID: b358fb46bdd253dfe105500de94ffb37537d8db85b1c8bf0b36926bbec76fbf0
                            • Opcode Fuzzy Hash: 1de599c4e167ff9fea68a3efb373a26aeacd15260ff50452a6087f0fddb2da35
                            • Instruction Fuzzy Hash: 21B012793D6101E1900176A44E80E3FA806FFF1F08F54CC29730440050ED21E42AF52B

                            Non-executed Functions

                            Function 04C8F088 Relevance: .3, Instructions: 312COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a796b923f1536410c4bf14295d8739b48c910ad93536168989302f9512c3e69e
                            • Instruction ID: 8da887cd442efa4b66c3fc6d361fa0c4eaa93b186879b2f485c1f062242455a6
                            • Opcode Fuzzy Hash: a796b923f1536410c4bf14295d8739b48c910ad93536168989302f9512c3e69e
                            • Instruction Fuzzy Hash: F4E105B4E012198FCB14DFA9C580AAEFBB2FF89305F64C169D414AB356D730A941CFA1
                            Function 04C8EC50 Relevance: .3, Instructions: 312COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2efb5b2820bf6e1ba74fe19245136d94cd114aec0313ea0e26092314a6501037
                            • Instruction ID: b5d95692c90a6e7854a872a0dd30257de740a8a6f98d6894e70bf77e811bd371
                            • Opcode Fuzzy Hash: 2efb5b2820bf6e1ba74fe19245136d94cd114aec0313ea0e26092314a6501037
                            • Instruction Fuzzy Hash: 1FE1F5B4E012598FCB14DFA9C580AAEBBF2FF89305F64C169D814AB356D730A941CF61
                            Function 04C8551F Relevance: .3, Instructions: 270COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bfb9ca995c20ecfcb10321b39f28ff16a1fee1a5d16ebb71c9a299309e6deb83
                            • Instruction ID: a9d2dc4a4b93388f2e72c9343ec93266959e5c8dbea353e1f94842138049078b
                            • Opcode Fuzzy Hash: bfb9ca995c20ecfcb10321b39f28ff16a1fee1a5d16ebb71c9a299309e6deb83
                            • Instruction Fuzzy Hash: 38D10731D1075ACACB05EF64D990A9DB7B1FF9A300F10D79AD10977225EB70AAC9CB81
                            Function 04C85530 Relevance: .3, Instructions: 264COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b666bd7a59a352347e9501a30678d44815081761d4128ce30cd6d96c1fc1b3f6
                            • Instruction ID: 2937e975681da0078b536850bf2883d0332c5d8d486fb8a44940372bbda402df
                            • Opcode Fuzzy Hash: b666bd7a59a352347e9501a30678d44815081761d4128ce30cd6d96c1fc1b3f6
                            • Instruction Fuzzy Hash: 0BD10731D1075ACACB05EF64D990A9DB7B1FF99300F10D79AE50977214EBB0AAC9CB81
                            Function 00A1D5BC Relevance: .3, Instructions: 264COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2116353658.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_a10000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 404be1eb1627840d00752f2ead5b0979e4acf3deb1bd6d8e300b3f00b17c68a4
                            • Instruction ID: 5d1b4dd5238cd27ee07063288b366503146e4f7eefd62f2461eb04c60f49891c
                            • Opcode Fuzzy Hash: 404be1eb1627840d00752f2ead5b0979e4acf3deb1bd6d8e300b3f00b17c68a4
                            • Instruction Fuzzy Hash: 46A15936E00249DFCF09DFA4C9445DEB7B2FF85300B25867AE905AB265DB31E995CB80
                            Function 04C854FB Relevance: .3, Instructions: 261COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2122269315.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_4c80000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: aa5fcde4cfa33e4cb9e30eacf25fe76abfd220327c9d9d73ea83c3a8ea0b0e38
                            • Instruction ID: f2a38349d8b70ec16e3db5ff53f1c5665a7c5fedd108067f9b7517ecc2a95ed7
                            • Opcode Fuzzy Hash: aa5fcde4cfa33e4cb9e30eacf25fe76abfd220327c9d9d73ea83c3a8ea0b0e38
                            • Instruction Fuzzy Hash: A0D10731D1075ACACB05EF64D990A9DB7B1FF9A300F10D79AD10977215EB70AAC9CB81

                            Execution Graph

                            Execution Coverage:18.9%
                            Dynamic/Decrypted Code Coverage:100%
                            Signature Coverage:5.3%
                            Total number of Nodes:76
                            Total number of Limit Nodes:13
                            execution_graph 38600 6ddd579 38601 6ddd514 38600->38601 38603 6ddd582 38600->38603 38606 6dde609 38601->38606 38610 6dde618 38601->38610 38602 6ddd535 38607 6dde660 38606->38607 38609 6dde669 38607->38609 38614 6dde1f4 38607->38614 38609->38602 38611 6dde660 38610->38611 38612 6dde1f4 LoadLibraryW 38611->38612 38613 6dde669 38611->38613 38612->38613 38613->38602 38615 6dde760 LoadLibraryW 38614->38615 38617 6dde7d5 38615->38617 38617->38609 38618 6dd5e38 38619 6dd5e5f 38618->38619 38620 6dd5ecf 38619->38620 38626 6dd8706 38619->38626 38630 6dd8627 38619->38630 38634 6dd7cc8 38619->38634 38638 6dd7218 38619->38638 38642 6dd7f73 38619->38642 38629 6dd7388 38626->38629 38627 6dd86a9 38627->38627 38628 6dd7ba3 LdrInitializeThunk 38628->38629 38629->38627 38629->38628 38633 6dd751c 38630->38633 38631 6dd86a9 38631->38631 38632 6dd7ba3 LdrInitializeThunk 38632->38633 38633->38631 38633->38632 38636 6dd751c 38634->38636 38635 6dd86a9 38635->38635 38636->38635 38637 6dd7ba3 LdrInitializeThunk 38636->38637 38637->38636 38641 6dd7228 38638->38641 38639 6dd86a9 38639->38639 38640 6dd7ba3 LdrInitializeThunk 38640->38641 38641->38639 38641->38640 38644 6dd751c 38642->38644 38643 6dd86a9 38643->38643 38644->38643 38645 6dd7ba3 LdrInitializeThunk 38644->38645 38645->38644 38646 136d300 DuplicateHandle 38647 136d396 38646->38647 38554 7dc87d0 38555 7dc895b 38554->38555 38557 7dc87f6 38554->38557 38557->38555 38558 7dc7998 38557->38558 38559 7dc8a50 PostMessageW 38558->38559 38560 7dc8abc 38559->38560 38560->38557 38561 136ad38 38564 136ae30 38561->38564 38562 136ad47 38565 136ae64 38564->38565 38566 136ae41 38564->38566 38565->38562 38566->38565 38567 136b068 GetModuleHandleW 38566->38567 38568 136b095 38567->38568 38568->38562 38569 136d0b8 38570 136d0fe GetCurrentProcess 38569->38570 38572 136d150 GetCurrentThread 38570->38572 38573 136d149 38570->38573 38574 136d186 38572->38574 38575 136d18d GetCurrentProcess 38572->38575 38573->38572 38574->38575 38578 136d1c3 38575->38578 38576 136d1eb GetCurrentThreadId 38577 136d21c 38576->38577 38578->38576 38579 1364668 38580 1364684 38579->38580 38581 1364696 38580->38581 38583 13647a0 38580->38583 38584 13647c5 38583->38584 38588 13648b0 38584->38588 38592 13648a1 38584->38592 38590 13648d7 38588->38590 38589 13649b4 38589->38589 38590->38589 38596 1364248 38590->38596 38594 13648b0 38592->38594 38593 13649b4 38593->38593 38594->38593 38595 1364248 CreateActCtxA 38594->38595 38595->38593 38597 1365940 CreateActCtxA 38596->38597 38599 1365a03 38597->38599

                            Executed Functions

                            Function 06DD7218 Relevance: 2.6, APIs: 1, Instructions: 1097COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2249391562.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6dd0000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f45b4bea36640da6284acf5eb4322e221b42243ce28af185f98dbb9124992f76
                            • Instruction ID: fb7c6f9b8aaf7b29db9ec789d47ce73ea8c9d9568e002c7c1d0b2322bdcd9990
                            • Opcode Fuzzy Hash: f45b4bea36640da6284acf5eb4322e221b42243ce28af185f98dbb9124992f76
                            • Instruction Fuzzy Hash: 8BC29F74A112298FDBA5EF24D998B9DB7B2FB49304F1085EAD40DA7354DB30AE85CF40
                            Function 0136D0A8 Relevance: 6.1, APIs: 4, Instructions: 130threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 427 136d0a8-136d147 GetCurrentProcess 431 136d150-136d184 GetCurrentThread 427->431 432 136d149-136d14f 427->432 433 136d186-136d18c 431->433 434 136d18d-136d1c1 GetCurrentProcess 431->434 432->431 433->434 436 136d1c3-136d1c9 434->436 437 136d1ca-136d1e5 call 136d289 434->437 436->437 440 136d1eb-136d21a GetCurrentThreadId 437->440 441 136d223-136d285 440->441 442 136d21c-136d222 440->442 442->441
                            APIs
                            • GetCurrentProcess.KERNEL32 ref: 0136D136
                            • GetCurrentThread.KERNEL32 ref: 0136D173
                            • GetCurrentProcess.KERNEL32 ref: 0136D1B0
                            • GetCurrentThreadId.KERNEL32 ref: 0136D209
                            Memory Dump Source
                            • Source File: 00000007.00000002.2228444248.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_1360000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID: Current$ProcessThread
                            • String ID:
                            • API String ID: 2063062207-0
                            • Opcode ID: e844227ab34aadb5f521b432808c583ae92d43d0e8f5ac6991307e7c9679917d
                            • Instruction ID: 6df55f053857cd607eb0338e0719071cb8e04f2b59c1803a98238f110bf7a556
                            • Opcode Fuzzy Hash: e844227ab34aadb5f521b432808c583ae92d43d0e8f5ac6991307e7c9679917d
                            • Instruction Fuzzy Hash: A75155B49002098FDB44DFA9D548BAEBFF5EF48304F208459E159A73A0DB786944CF65
                            Function 0136D0B8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 449 136d0b8-136d147 GetCurrentProcess 453 136d150-136d184 GetCurrentThread 449->453 454 136d149-136d14f 449->454 455 136d186-136d18c 453->455 456 136d18d-136d1c1 GetCurrentProcess 453->456 454->453 455->456 458 136d1c3-136d1c9 456->458 459 136d1ca-136d1e5 call 136d289 456->459 458->459 462 136d1eb-136d21a GetCurrentThreadId 459->462 463 136d223-136d285 462->463 464 136d21c-136d222 462->464 464->463
                            APIs
                            • GetCurrentProcess.KERNEL32 ref: 0136D136
                            • GetCurrentThread.KERNEL32 ref: 0136D173
                            • GetCurrentProcess.KERNEL32 ref: 0136D1B0
                            • GetCurrentThreadId.KERNEL32 ref: 0136D209
                            Memory Dump Source
                            • Source File: 00000007.00000002.2228444248.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_1360000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID: Current$ProcessThread
                            • String ID:
                            • API String ID: 2063062207-0
                            • Opcode ID: befa12933b2e5a45daac98dfff543cc491e9244981217b7930f06c989e2de685
                            • Instruction ID: fb8112207c6ea41d10817da3253baea0219574b76a4482aace1f2641c4ffeb5c
                            • Opcode Fuzzy Hash: befa12933b2e5a45daac98dfff543cc491e9244981217b7930f06c989e2de685
                            • Instruction Fuzzy Hash: 775145B49002098FDB44DFAAD548BAEBFF5EF48314F20C459E119A73A0DB78A944CF65
                            Function 0136AE30 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0136B086
                            Memory Dump Source
                            • Source File: 00000007.00000002.2228444248.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_1360000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID: HandleModule
                            • String ID:
                            • API String ID: 4139908857-0
                            • Opcode ID: e7349667bfdff08c80d4defc042319141bad87432dadb949ecf32b03b15b70c3
                            • Instruction ID: cd586ec2032a4c2c7bdde2c5e432604c177ee66bcae0cd1220b41e59420cb44a
                            • Opcode Fuzzy Hash: e7349667bfdff08c80d4defc042319141bad87432dadb949ecf32b03b15b70c3
                            • Instruction Fuzzy Hash: CA7125B0A00B058FD724DF69D45075ABBF9FF88308F00892DE44ADBA54DB75E849CB91
                            Function 01364248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                            Download Yara Rule
                            APIs
                            • CreateActCtxA.KERNEL32(?), ref: 013659F1
                            Memory Dump Source
                            • Source File: 00000007.00000002.2228444248.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_1360000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID: Create
                            • String ID:
                            • API String ID: 2289755597-0
                            • Opcode ID: 6bea1bd6efae0838478d29b6e550caa80a0798d632267f5c0557f5181f9b93dd
                            • Instruction ID: 14868a80ed804a70b240d1c79cf2757103096e8a3e2b1322bc67b9693c0c8b09
                            • Opcode Fuzzy Hash: 6bea1bd6efae0838478d29b6e550caa80a0798d632267f5c0557f5181f9b93dd
                            • Instruction Fuzzy Hash: 3F41C1B0C0071DCADB25DFA9C884B9DBBF5FF49304F20806AD408AB255DB756945CF91
                            Function 01365935 Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                            Download Yara Rule
                            APIs
                            • CreateActCtxA.KERNEL32(?), ref: 013659F1
                            Memory Dump Source
                            • Source File: 00000007.00000002.2228444248.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_1360000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID: Create
                            • String ID:
                            • API String ID: 2289755597-0
                            • Opcode ID: 39ae7be6d7fe924ee32dc8a308c692b56f9289daf5c20ee1daee010ed84f4523
                            • Instruction ID: 3997fd319e6f0d28d49bae973854dd885fb8bc0a8a521e5c64afe4b8e2613a55
                            • Opcode Fuzzy Hash: 39ae7be6d7fe924ee32dc8a308c692b56f9289daf5c20ee1daee010ed84f4523
                            • Instruction Fuzzy Hash: A04101B0C00719CEDB25CFA9C884B8DBBF9FF49308F20806AD408AB255DB756946CF90
                            Function 0136D300 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                            Download Yara Rule
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0136D387
                            Memory Dump Source
                            • Source File: 00000007.00000002.2228444248.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_1360000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: 300822d81ae22d27952676748c0da942b2fd1ff99cd3324960c18ff49af94725
                            • Instruction ID: 4af4ccc571941fe3d903bfe1bf58bf298028fea199d8cfd106dd28714647d746
                            • Opcode Fuzzy Hash: 300822d81ae22d27952676748c0da942b2fd1ff99cd3324960c18ff49af94725
                            • Instruction Fuzzy Hash: 3721D3B59002489FDB10CFAAD984ADEFFF9FB48310F14841AE958A7350D378A954CFA5
                            Function 0136D2F9 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                            Download Yara Rule
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0136D387
                            Memory Dump Source
                            • Source File: 00000007.00000002.2228444248.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_1360000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: 0243ebd97a41e0e804f8571e5889b9ea74f4e080669092e997e9acc958786b2a
                            • Instruction ID: a816d92c2a561ea697716bd4f3bb2ec475152e6efd1d10c419edc5a00c7aa027
                            • Opcode Fuzzy Hash: 0243ebd97a41e0e804f8571e5889b9ea74f4e080669092e997e9acc958786b2a
                            • Instruction Fuzzy Hash: F021C4B5D002099FDB10CF99D585AEEBBF9FB48314F14841AE958A7350D378A954CFA0
                            Function 06DDE1F4 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,00000000,00000E20,?,?,06DDE6BE), ref: 06DDE7C6
                            Memory Dump Source
                            • Source File: 00000007.00000002.2249391562.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6dd0000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID: LibraryLoad
                            • String ID:
                            • API String ID: 1029625771-0
                            • Opcode ID: b9aa46ffd57e4f90dde367227b5af8bfde3cea33fc48795ecc43b1737eb78fac
                            • Instruction ID: b2d43e278c73d53b57be39e05a10ffb60f11bfb6852aeb70ff9e334df6584ac9
                            • Opcode Fuzzy Hash: b9aa46ffd57e4f90dde367227b5af8bfde3cea33fc48795ecc43b1737eb78fac
                            • Instruction Fuzzy Hash: 641112B5D00608AFDB60EF9AC444A9EFBF8EB88210F14842AD419BB611C379A545CFA0
                            Function 06DDE75E Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,00000000,00000E20,?,?,06DDE6BE), ref: 06DDE7C6
                            Memory Dump Source
                            • Source File: 00000007.00000002.2249391562.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6dd0000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID: LibraryLoad
                            • String ID:
                            • API String ID: 1029625771-0
                            • Opcode ID: 669264facbde2873e14a2c5c49d8fa888e3634c9aaea708f1145a293af701852
                            • Instruction ID: 615ce0d003da085071cd376c1756fa2a699ead36b4d431a1b581cd619b7cb987
                            • Opcode Fuzzy Hash: 669264facbde2873e14a2c5c49d8fa888e3634c9aaea708f1145a293af701852
                            • Instruction Fuzzy Hash: 8E1134B6C002089FDB20DF9AD844ADEFBF8AF88310F14841AD418A7610C378A545CFA1
                            Function 07DC8A4B Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                            Download Yara Rule
                            APIs
                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 07DC8AAD
                            Memory Dump Source
                            • Source File: 00000007.00000002.2251456412.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_7dc0000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID: MessagePost
                            • String ID:
                            • API String ID: 410705778-0
                            • Opcode ID: 09bd6d19376afd4da8f327ea6d53fea627c1dd067af7e0f962662c9a47ff862c
                            • Instruction ID: fcb6ea08b1f9115d82a8e9029ae97866a94b0adaf2396dcc8934d1fbaf67c86a
                            • Opcode Fuzzy Hash: 09bd6d19376afd4da8f327ea6d53fea627c1dd067af7e0f962662c9a47ff862c
                            • Instruction Fuzzy Hash: 9A11F2B58002499FCB10DF9AD945BDEFFF8EB48320F14841AE518A3600C379A944CFA1
                            Function 07DC7998 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                            Download Yara Rule
                            APIs
                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 07DC8AAD
                            Memory Dump Source
                            • Source File: 00000007.00000002.2251456412.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_7dc0000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID: MessagePost
                            • String ID:
                            • API String ID: 410705778-0
                            • Opcode ID: bbc047562ae2bc4424280e1055edd31af781d999eb34528df5aca643c9228d1d
                            • Instruction ID: 5a7bc9747364eb77531050dae9e3298b87d85b32c590ce435dfb9c078d306ce0
                            • Opcode Fuzzy Hash: bbc047562ae2bc4424280e1055edd31af781d999eb34528df5aca643c9228d1d
                            • Instruction Fuzzy Hash: F81103B58007499FCB10DF9AD985BDEFBF8FB48310F14841AE519A7200C379A944CFA1
                            Function 0136B020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0136B086
                            Memory Dump Source
                            • Source File: 00000007.00000002.2228444248.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_1360000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID: HandleModule
                            • String ID:
                            • API String ID: 4139908857-0
                            • Opcode ID: ebef471dae4aaca67a6b6ef0850a094ad61434bd522eaef0ba87972a1ddc8e17
                            • Instruction ID: a372bfb302e4b52a0b679f642026c499bbbfac58b452ca8ef9e9ce002caa32f8
                            • Opcode Fuzzy Hash: ebef471dae4aaca67a6b6ef0850a094ad61434bd522eaef0ba87972a1ddc8e17
                            • Instruction Fuzzy Hash: FB110FB6D003498FDB20DF9AC444A9EFFF8AB89214F10841AD528A7214C379A545CFA1
                            Function 0130D654 Relevance: .1, Instructions: 77COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2228077207.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_130d000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b6dfeb2ee1301709cbbcb9eaa2708b0450060144361fc6995cb57099971d18cc
                            • Instruction ID: 4e4a90c4faa867202f53e89eb0901cc7de40758f494fd30e902a5b566cd336d5
                            • Opcode Fuzzy Hash: b6dfeb2ee1301709cbbcb9eaa2708b0450060144361fc6995cb57099971d18cc
                            • Instruction Fuzzy Hash: D6213B75500244DFCB06CF98D9D0F16BFE9FB88318F20C669E9090B296C33AD415CB61
                            Function 0130D3D8 Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2228077207.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_130d000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3d47dc29f0fc93c425512938120a4ef48aabc20ca0d24716ee0e429b4dda9eed
                            • Instruction ID: b89e8201bf1e098237a62c2e97e6be88392974e0849424b7b18fb5848958fc78
                            • Opcode Fuzzy Hash: 3d47dc29f0fc93c425512938120a4ef48aabc20ca0d24716ee0e429b4dda9eed
                            • Instruction Fuzzy Hash: 55214B71100204DFDB06DF98D5C0F56BFE9FB84318F20C169D9091B296C73AE406C7A2
                            Function 0131D01C Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2228170194.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_131d000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d8d4d04faf8b4ca20985f6a0d8a544706082f4217c3a2c82cbb359e6c1d183e9
                            • Instruction ID: 49c3ff77c0b63e3f62086689c8f4fc46ccc6be774d326621028a2af3034aaa30
                            • Opcode Fuzzy Hash: d8d4d04faf8b4ca20985f6a0d8a544706082f4217c3a2c82cbb359e6c1d183e9
                            • Instruction Fuzzy Hash: 89212275604204DFCB19DF68D988B26BF69FB89318F20C56DD90A0B35AC33AD407CA62
                            Function 0130D64F Relevance: .1, Instructions: 58COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2228077207.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_130d000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b4df52cb15700b59c5b6b401fa95ea1d4e97f6e18881beb99e30f99f1fcf6035
                            • Instruction ID: fca5d1907aae9a41ef5bc5e3c9f0ccad53d3009864b48a20a02fe49c289c40e5
                            • Opcode Fuzzy Hash: b4df52cb15700b59c5b6b401fa95ea1d4e97f6e18881beb99e30f99f1fcf6035
                            • Instruction Fuzzy Hash: 9421C076404280DFCB17CF84D9C4B16BFB2FB88314F2486A9D9480A297C33AD416CB92
                            Function 0130D3D3 Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2228077207.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_130d000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                            • Instruction ID: 8d5d4ac7032ac0e642cb589c3117b77ced05da23cec66ffe907565a713d5012d
                            • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                            • Instruction Fuzzy Hash: 6C11E172404240CFDB02CF84D5C4B56BFB1FB84324F24C6A9D9090B257C33AE45ACBA2
                            Function 0131D017 Relevance: .1, Instructions: 53COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2228170194.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_131d000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                            • Instruction ID: 635c82239635e1af84ed43ede2fdc47c7e31a55e45f3041ff7e4064439456803
                            • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                            • Instruction Fuzzy Hash: AC11D075504280CFDB16CF58D5C8B15FF61FB45318F24C6A9D8494B65AC33BD44ACB62
                            Function 0130D989 Relevance: .0, Instructions: 45COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2228077207.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_130d000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2fd6c8cd5bcb3e2fa608d9b4c0a370be3936e0bf36677ef83302a7cdced465d5
                            • Instruction ID: 49e19d324383e4636e489a614540b89eb220f201fcbf546ac9d7e69271f6d902
                            • Opcode Fuzzy Hash: 2fd6c8cd5bcb3e2fa608d9b4c0a370be3936e0bf36677ef83302a7cdced465d5
                            • Instruction Fuzzy Hash: 5101DB310053449AE7229ADECD84B67BFDDEF45328F18C56AEE494A2C6C2799840CA71
                            Function 0130D988 Relevance: .0, Instructions: 36COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2228077207.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_130d000_Contract #U2116 KB #U2013 08152024 - 1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1046ed2b2a07d88d87fbe42f811a24623d17a66ba9930ee96706db457ff1d0ae
                            • Instruction ID: 62db63cf1a063cad12e232eb97cb6d7fef839f362db93d5ee5b8beaca13c2220
                            • Opcode Fuzzy Hash: 1046ed2b2a07d88d87fbe42f811a24623d17a66ba9930ee96706db457ff1d0ae
                            • Instruction Fuzzy Hash: AAF09671404344AEE7218A5ADC84B66FFECEF45734F18C55AEE484F2C7C2799844DA71

                            Execution Graph

                            Execution Coverage:11.6%
                            Dynamic/Decrypted Code Coverage:100%
                            Signature Coverage:0%
                            Total number of Nodes:175
                            Total number of Limit Nodes:18
                            execution_graph 19695 26c4668 19696 26c467a 19695->19696 19697 26c4686 19696->19697 19699 26c4778 19696->19699 19700 26c479d 19699->19700 19704 26c4878 19700->19704 19708 26c4888 19700->19708 19705 26c48af 19704->19705 19707 26c498c 19705->19707 19712 26c44b0 19705->19712 19709 26c48af 19708->19709 19710 26c44b0 CreateActCtxA 19709->19710 19711 26c498c 19709->19711 19710->19711 19713 26c5918 CreateActCtxA 19712->19713 19715 26c59db 19713->19715 19885 6c55250 19886 6c553db 19885->19886 19887 6c55276 19885->19887 19887->19886 19889 6c5287c 19887->19889 19890 6c554d0 PostMessageW 19889->19890 19891 6c5553c 19890->19891 19891->19887 19716 6c51f4d 19720 6c54030 19716->19720 19736 6c5402b 19716->19736 19717 6c51f5c 19721 6c5404a 19720->19721 19722 6c54052 19721->19722 19752 6c54485 19721->19752 19758 6c5439b 19721->19758 19764 6c54bbb 19721->19764 19769 6c54818 19721->19769 19781 6c54abe 19721->19781 19786 6c548d3 19721->19786 19791 6c54cf7 19721->19791 19800 6c545a9 19721->19800 19809 6c546c9 19721->19809 19818 6c54609 19721->19818 19822 6c54c4e 19721->19822 19826 6c5466c 19721->19826 19832 6c54664 19721->19832 19722->19717 19737 6c5404a 19736->19737 19738 6c54485 2 API calls 19737->19738 19739 6c54664 2 API calls 19737->19739 19740 6c54052 19737->19740 19741 6c5466c 2 API calls 19737->19741 19742 6c54c4e 2 API calls 19737->19742 19743 6c54609 2 API calls 19737->19743 19744 6c546c9 4 API calls 19737->19744 19745 6c545a9 4 API calls 19737->19745 19746 6c54cf7 4 API calls 19737->19746 19747 6c548d3 2 API calls 19737->19747 19748 6c54abe 2 API calls 19737->19748 19749 6c54818 6 API calls 19737->19749 19750 6c54bbb 2 API calls 19737->19750 19751 6c5439b 2 API calls 19737->19751 19738->19740 19739->19740 19740->19717 19741->19740 19742->19740 19743->19740 19744->19740 19745->19740 19746->19740 19747->19740 19748->19740 19749->19740 19750->19740 19751->19740 19754 6c5448b 19752->19754 19753 6c5450c 19753->19722 19754->19753 19837 6c519bc 19754->19837 19841 6c519c8 19754->19841 19760 6c543db 19758->19760 19759 6c5450c 19759->19722 19760->19759 19762 6c519bc CreateProcessA 19760->19762 19763 6c519c8 CreateProcessA 19760->19763 19761 6c5458a 19762->19761 19763->19761 19765 6c54db6 19764->19765 19845 6c51170 19765->19845 19849 6c5116b 19765->19849 19766 6c54dd1 19770 6c5481e 19769->19770 19869 6c51680 19770->19869 19873 6c51679 19770->19873 19771 6c545c7 19774 6c5487e 19771->19774 19861 6c51738 19771->19861 19865 6c51740 19771->19865 19772 6c545b5 19772->19771 19773 6c549c9 19772->19773 19853 6c51830 19772->19853 19857 6c51828 19772->19857 19773->19722 19774->19722 19782 6c548ea 19781->19782 19782->19781 19783 6c54b97 19782->19783 19877 6c50c83 19782->19877 19881 6c50c88 19782->19881 19783->19722 19787 6c548d9 19786->19787 19788 6c54b97 19787->19788 19789 6c50c83 ResumeThread 19787->19789 19790 6c50c88 ResumeThread 19787->19790 19788->19722 19789->19787 19790->19787 19793 6c545b5 19791->19793 19792 6c545c7 19795 6c5487e 19792->19795 19798 6c51740 WriteProcessMemory 19792->19798 19799 6c51738 WriteProcessMemory 19792->19799 19793->19792 19794 6c549c9 19793->19794 19796 6c51830 ReadProcessMemory 19793->19796 19797 6c51828 ReadProcessMemory 19793->19797 19794->19722 19795->19722 19796->19793 19797->19793 19798->19792 19799->19792 19802 6c545b5 19800->19802 19801 6c545c7 19804 6c5487e 19801->19804 19805 6c51740 WriteProcessMemory 19801->19805 19806 6c51738 WriteProcessMemory 19801->19806 19802->19801 19803 6c549c9 19802->19803 19807 6c51830 ReadProcessMemory 19802->19807 19808 6c51828 ReadProcessMemory 19802->19808 19803->19722 19804->19722 19805->19801 19806->19801 19807->19802 19808->19802 19810 6c545b5 19809->19810 19810->19809 19811 6c549c9 19810->19811 19812 6c545c7 19810->19812 19816 6c51830 ReadProcessMemory 19810->19816 19817 6c51828 ReadProcessMemory 19810->19817 19811->19722 19813 6c5487e 19812->19813 19814 6c51740 WriteProcessMemory 19812->19814 19815 6c51738 WriteProcessMemory 19812->19815 19813->19722 19814->19812 19815->19812 19816->19810 19817->19810 19820 6c51740 WriteProcessMemory 19818->19820 19821 6c51738 WriteProcessMemory 19818->19821 19819 6c54637 19819->19722 19820->19819 19821->19819 19823 6c54987 19822->19823 19823->19822 19824 6c51170 Wow64SetThreadContext 19823->19824 19825 6c5116b Wow64SetThreadContext 19823->19825 19824->19823 19825->19823 19827 6c5466f 19826->19827 19828 6c545e4 19826->19828 19829 6c5462b 19828->19829 19830 6c51740 WriteProcessMemory 19828->19830 19831 6c51738 WriteProcessMemory 19828->19831 19829->19722 19830->19828 19831->19828 19833 6c549f3 19832->19833 19835 6c51740 WriteProcessMemory 19833->19835 19836 6c51738 WriteProcessMemory 19833->19836 19834 6c54e3e 19835->19834 19836->19834 19838 6c51a51 CreateProcessA 19837->19838 19840 6c51c13 19838->19840 19842 6c51a51 CreateProcessA 19841->19842 19844 6c51c13 19842->19844 19846 6c511b5 Wow64SetThreadContext 19845->19846 19848 6c511fd 19846->19848 19848->19766 19850 6c511b5 Wow64SetThreadContext 19849->19850 19852 6c511fd 19850->19852 19852->19766 19854 6c5187b ReadProcessMemory 19853->19854 19856 6c518bf 19854->19856 19856->19772 19858 6c5187b ReadProcessMemory 19857->19858 19860 6c518bf 19858->19860 19860->19772 19862 6c51788 WriteProcessMemory 19861->19862 19864 6c517df 19862->19864 19864->19771 19866 6c51788 WriteProcessMemory 19865->19866 19868 6c517df 19866->19868 19868->19771 19870 6c516c0 VirtualAllocEx 19869->19870 19872 6c516fd 19870->19872 19872->19772 19874 6c516c0 VirtualAllocEx 19873->19874 19876 6c516fd 19874->19876 19876->19772 19878 6c50cc8 ResumeThread 19877->19878 19880 6c50cf9 19878->19880 19880->19782 19882 6c50cc8 ResumeThread 19881->19882 19884 6c50cf9 19882->19884 19884->19782 19892 26cacb0 19893 26cacbf 19892->19893 19896 26cada8 19892->19896 19901 26cada7 19892->19901 19897 26caddc 19896->19897 19898 26cadb9 19896->19898 19897->19893 19898->19897 19899 26cafe0 GetModuleHandleW 19898->19899 19900 26cb00d 19899->19900 19900->19893 19902 26caddc 19901->19902 19903 26cadb9 19901->19903 19902->19893 19903->19902 19904 26cafe0 GetModuleHandleW 19903->19904 19905 26cb00d 19904->19905 19905->19893 19906 26cd040 19907 26cd086 GetCurrentProcess 19906->19907 19909 26cd0d8 GetCurrentThread 19907->19909 19910 26cd0d1 19907->19910 19911 26cd10e 19909->19911 19912 26cd115 GetCurrentProcess 19909->19912 19910->19909 19911->19912 19913 26cd14b 19912->19913 19914 26cd173 GetCurrentThreadId 19913->19914 19915 26cd1a4 19914->19915 19916 26cd751 19917 26cd714 DuplicateHandle 19916->19917 19919 26cd75a 19916->19919 19918 26cd726 19917->19918

                            Executed Functions

                            Function 026CD030 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 526 26cd030-26cd0cf GetCurrentProcess 530 26cd0d8-26cd10c GetCurrentThread 526->530 531 26cd0d1-26cd0d7 526->531 532 26cd10e-26cd114 530->532 533 26cd115-26cd149 GetCurrentProcess 530->533 531->530 532->533 534 26cd14b-26cd151 533->534 535 26cd152-26cd16d call 26cd619 533->535 534->535 539 26cd173-26cd1a2 GetCurrentThreadId 535->539 540 26cd1ab-26cd20d 539->540 541 26cd1a4-26cd1aa 539->541 541->540
                            APIs
                            • GetCurrentProcess.KERNEL32 ref: 026CD0BE
                            • GetCurrentThread.KERNEL32 ref: 026CD0FB
                            • GetCurrentProcess.KERNEL32 ref: 026CD138
                            • GetCurrentThreadId.KERNEL32 ref: 026CD191
                            Memory Dump Source
                            • Source File: 00000009.00000002.2166947662.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_9_2_26c0000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID: Current$ProcessThread
                            • String ID:
                            • API String ID: 2063062207-0
                            • Opcode ID: d80d8c97a3ae808ebcf3946dfdebb075caeb59794251600731d2cb1597e85805
                            • Instruction ID: 3925e3a9074ad780c2f1a430fd8332fc02e2ab83cbc7ef02211824c782bea61e
                            • Opcode Fuzzy Hash: d80d8c97a3ae808ebcf3946dfdebb075caeb59794251600731d2cb1597e85805
                            • Instruction Fuzzy Hash: F35146B4901249CFDB14EFAAD548BAEBBF1EF48314F20C469E409A7360D738A945CF65
                            Function 026CD040 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 548 26cd040-26cd0cf GetCurrentProcess 552 26cd0d8-26cd10c GetCurrentThread 548->552 553 26cd0d1-26cd0d7 548->553 554 26cd10e-26cd114 552->554 555 26cd115-26cd149 GetCurrentProcess 552->555 553->552 554->555 556 26cd14b-26cd151 555->556 557 26cd152-26cd16d call 26cd619 555->557 556->557 561 26cd173-26cd1a2 GetCurrentThreadId 557->561 562 26cd1ab-26cd20d 561->562 563 26cd1a4-26cd1aa 561->563 563->562
                            APIs
                            • GetCurrentProcess.KERNEL32 ref: 026CD0BE
                            • GetCurrentThread.KERNEL32 ref: 026CD0FB
                            • GetCurrentProcess.KERNEL32 ref: 026CD138
                            • GetCurrentThreadId.KERNEL32 ref: 026CD191
                            Memory Dump Source
                            • Source File: 00000009.00000002.2166947662.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_9_2_26c0000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID: Current$ProcessThread
                            • String ID:
                            • API String ID: 2063062207-0
                            • Opcode ID: 23f01d658fbb60456b5acbb8c85f236ca30bc8b30f940598a0d16d4b7ed5c779
                            • Instruction ID: 561e45eb12e25327168da69a6422f92e169a4cb0ae65ecc08b2f478aea2c1709
                            • Opcode Fuzzy Hash: 23f01d658fbb60456b5acbb8c85f236ca30bc8b30f940598a0d16d4b7ed5c779
                            • Instruction Fuzzy Hash: 255135B4901249CFDB14EFAAD548BAEBBF5EF48314F20C469E409A7360D738A944CB65
                            Function 06C519BC Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 594 6c519bc-6c51a5d 596 6c51a96-6c51ab6 594->596 597 6c51a5f-6c51a69 594->597 604 6c51aef-6c51b1e 596->604 605 6c51ab8-6c51ac2 596->605 597->596 598 6c51a6b-6c51a6d 597->598 599 6c51a90-6c51a93 598->599 600 6c51a6f-6c51a79 598->600 599->596 602 6c51a7d-6c51a8c 600->602 603 6c51a7b 600->603 602->602 607 6c51a8e 602->607 603->602 613 6c51b57-6c51c11 CreateProcessA 604->613 614 6c51b20-6c51b2a 604->614 605->604 606 6c51ac4-6c51ac6 605->606 608 6c51ae9-6c51aec 606->608 609 6c51ac8-6c51ad2 606->609 607->599 608->604 611 6c51ad4 609->611 612 6c51ad6-6c51ae5 609->612 611->612 612->612 615 6c51ae7 612->615 625 6c51c13-6c51c19 613->625 626 6c51c1a-6c51ca0 613->626 614->613 616 6c51b2c-6c51b2e 614->616 615->608 618 6c51b51-6c51b54 616->618 619 6c51b30-6c51b3a 616->619 618->613 620 6c51b3c 619->620 621 6c51b3e-6c51b4d 619->621 620->621 621->621 623 6c51b4f 621->623 623->618 625->626 636 6c51cb0-6c51cb4 626->636 637 6c51ca2-6c51ca6 626->637 639 6c51cc4-6c51cc8 636->639 640 6c51cb6-6c51cba 636->640 637->636 638 6c51ca8 637->638 638->636 642 6c51cd8-6c51cdc 639->642 643 6c51cca-6c51cce 639->643 640->639 641 6c51cbc 640->641 641->639 644 6c51cee-6c51cf5 642->644 645 6c51cde-6c51ce4 642->645 643->642 646 6c51cd0 643->646 647 6c51cf7-6c51d06 644->647 648 6c51d0c 644->648 645->644 646->642 647->648 650 6c51d0d 648->650 650->650
                            APIs
                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06C51BFE
                            Memory Dump Source
                            • Source File: 00000009.00000002.2170791924.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_9_2_6c50000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID: CreateProcess
                            • String ID:
                            • API String ID: 963392458-0
                            • Opcode ID: 488a787abbd517192b92c818c62389cb1b18a59173086c1a0b0a039818ecfb28
                            • Instruction ID: c3a1262f3f1591a80f72981f5e05394cc86b425b8befc56448fd01b996c246ea
                            • Opcode Fuzzy Hash: 488a787abbd517192b92c818c62389cb1b18a59173086c1a0b0a039818ecfb28
                            • Instruction Fuzzy Hash: 02A16971D00219CFDB61DF68CC44BEEBBB2BF44300F1985A9D809A7240DB75AA85CF95
                            Function 06C519C8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 651 6c519c8-6c51a5d 653 6c51a96-6c51ab6 651->653 654 6c51a5f-6c51a69 651->654 661 6c51aef-6c51b1e 653->661 662 6c51ab8-6c51ac2 653->662 654->653 655 6c51a6b-6c51a6d 654->655 656 6c51a90-6c51a93 655->656 657 6c51a6f-6c51a79 655->657 656->653 659 6c51a7d-6c51a8c 657->659 660 6c51a7b 657->660 659->659 664 6c51a8e 659->664 660->659 670 6c51b57-6c51c11 CreateProcessA 661->670 671 6c51b20-6c51b2a 661->671 662->661 663 6c51ac4-6c51ac6 662->663 665 6c51ae9-6c51aec 663->665 666 6c51ac8-6c51ad2 663->666 664->656 665->661 668 6c51ad4 666->668 669 6c51ad6-6c51ae5 666->669 668->669 669->669 672 6c51ae7 669->672 682 6c51c13-6c51c19 670->682 683 6c51c1a-6c51ca0 670->683 671->670 673 6c51b2c-6c51b2e 671->673 672->665 675 6c51b51-6c51b54 673->675 676 6c51b30-6c51b3a 673->676 675->670 677 6c51b3c 676->677 678 6c51b3e-6c51b4d 676->678 677->678 678->678 680 6c51b4f 678->680 680->675 682->683 693 6c51cb0-6c51cb4 683->693 694 6c51ca2-6c51ca6 683->694 696 6c51cc4-6c51cc8 693->696 697 6c51cb6-6c51cba 693->697 694->693 695 6c51ca8 694->695 695->693 699 6c51cd8-6c51cdc 696->699 700 6c51cca-6c51cce 696->700 697->696 698 6c51cbc 697->698 698->696 701 6c51cee-6c51cf5 699->701 702 6c51cde-6c51ce4 699->702 700->699 703 6c51cd0 700->703 704 6c51cf7-6c51d06 701->704 705 6c51d0c 701->705 702->701 703->699 704->705 707 6c51d0d 705->707 707->707
                            APIs
                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06C51BFE
                            Memory Dump Source
                            • Source File: 00000009.00000002.2170791924.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_9_2_6c50000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID: CreateProcess
                            • String ID:
                            • API String ID: 963392458-0
                            • Opcode ID: c34fceb5ec6ed3137bf4ea20c45777bdf49967112ba8c6c08ba880dbc9365bc9
                            • Instruction ID: adfc89a7517ff242e6f653874ef14bd1af4f6e531bb6bb3b8f0d714a25370664
                            • Opcode Fuzzy Hash: c34fceb5ec6ed3137bf4ea20c45777bdf49967112ba8c6c08ba880dbc9365bc9
                            • Instruction Fuzzy Hash: 33916971D00219CFDB65DF68CC447ADBBB2FF44300F1585A9D809A7240DB75AA85CF95
                            Function 026CADA8 Relevance: 1.7, APIs: 1, Instructions: 199COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 708 26cada8-26cadb7 709 26cadb9-26cadc6 call 26ca0cc 708->709 710 26cade3-26cade7 708->710 715 26caddc 709->715 716 26cadc8 709->716 711 26cade9-26cadf3 710->711 712 26cadfb-26cae3c 710->712 711->712 719 26cae3e-26cae46 712->719 720 26cae49-26cae57 712->720 715->710 763 26cadce call 26cb040 716->763 764 26cadce call 26cb030 716->764 719->720 722 26cae59-26cae5e 720->722 723 26cae7b-26cae7d 720->723 721 26cadd4-26cadd6 721->715 726 26caf18-26cafd8 721->726 724 26cae69 722->724 725 26cae60-26cae67 call 26ca0d8 722->725 727 26cae80-26cae87 723->727 729 26cae6b-26cae79 724->729 725->729 758 26cafda-26cafdd 726->758 759 26cafe0-26cb00b GetModuleHandleW 726->759 730 26cae89-26cae91 727->730 731 26cae94-26cae9b 727->731 729->727 730->731 733 26cae9d-26caea5 731->733 734 26caea8-26caeaa call 26ca0e8 731->734 733->734 737 26caeaf-26caeb1 734->737 739 26caebe-26caec3 737->739 740 26caeb3-26caebb 737->740 742 26caec5-26caecc 739->742 743 26caee1-26caeee 739->743 740->739 742->743 744 26caece-26caede call 26ca0f8 call 26ca108 742->744 749 26caef0-26caf0e 743->749 750 26caf11-26caf17 743->750 744->743 749->750 758->759 760 26cb00d-26cb013 759->760 761 26cb014-26cb028 759->761 760->761 763->721 764->721
                            APIs
                            • GetModuleHandleW.KERNELBASE(00000000), ref: 026CAFFE
                            Memory Dump Source
                            • Source File: 00000009.00000002.2166947662.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_9_2_26c0000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID: HandleModule
                            • String ID:
                            • API String ID: 4139908857-0
                            • Opcode ID: f8d3a3e8f71e55db1b41802bd9423e42856d967fa8a8513e2362f427c79dd936
                            • Instruction ID: c74cf56d5ca66fbb193b1ea8be0b0d9881e3ec34497079151d69b989e9ac22bf
                            • Opcode Fuzzy Hash: f8d3a3e8f71e55db1b41802bd9423e42856d967fa8a8513e2362f427c79dd936
                            • Instruction Fuzzy Hash: B47123B0A00B098FD724EF69D4447AABBF5FF88204F10892DD49AD7B40DB75E949CB94
                            Function 026C44B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 765 26c44b0-26c59d9 CreateActCtxA 768 26c59db-26c59e1 765->768 769 26c59e2-26c5a3c 765->769 768->769 776 26c5a3e-26c5a41 769->776 777 26c5a4b-26c5a4f 769->777 776->777 778 26c5a60 777->778 779 26c5a51-26c5a5d 777->779 781 26c5a61 778->781 779->778 781->781
                            APIs
                            • CreateActCtxA.KERNEL32(?), ref: 026C59C9
                            Memory Dump Source
                            • Source File: 00000009.00000002.2166947662.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_9_2_26c0000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID: Create
                            • String ID:
                            • API String ID: 2289755597-0
                            • Opcode ID: 564fc794f2f74d40450b77da34dde4deb1135c09a192f3a2cdcfb01f6989398b
                            • Instruction ID: b0e732265c2c2a2ef048e8326c33648efe31cdbc495508d39a84a9b994d6c4ad
                            • Opcode Fuzzy Hash: 564fc794f2f74d40450b77da34dde4deb1135c09a192f3a2cdcfb01f6989398b
                            • Instruction Fuzzy Hash: 4241E3B0D00719CBDB24DFAAC88469EBBB5FF48304F20806AD409BB255DB75694ACF91
                            Function 026C590C Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 782 26c590c-26c5912 783 26c591c-26c59d9 CreateActCtxA 782->783 785 26c59db-26c59e1 783->785 786 26c59e2-26c5a3c 783->786 785->786 793 26c5a3e-26c5a41 786->793 794 26c5a4b-26c5a4f 786->794 793->794 795 26c5a60 794->795 796 26c5a51-26c5a5d 794->796 798 26c5a61 795->798 796->795 798->798
                            APIs
                            • CreateActCtxA.KERNEL32(?), ref: 026C59C9
                            Memory Dump Source
                            • Source File: 00000009.00000002.2166947662.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_9_2_26c0000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID: Create
                            • String ID:
                            • API String ID: 2289755597-0
                            • Opcode ID: 7266311ce0b428a84afe4e310157e2c21c611c4e5780d7c7864e35e81f6ead9b
                            • Instruction ID: 507824b7948fdb8115a2df6f189b9d8b3fdc4328f744af1bb3227bb83109eee7
                            • Opcode Fuzzy Hash: 7266311ce0b428a84afe4e310157e2c21c611c4e5780d7c7864e35e81f6ead9b
                            • Instruction Fuzzy Hash: 6E41F2B0D00719CADB24DFAAC9846DDBBB2FF48304F20806AD419BB255DB75694ACF91
                            Function 026CD751 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 799 26cd751-26cd758 800 26cd75a-26cd87e 799->800 801 26cd714-26cd724 DuplicateHandle 799->801 802 26cd72d-26cd74a 801->802 803 26cd726-26cd72c 801->803 803->802
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 026CD717
                            Memory Dump Source
                            • Source File: 00000009.00000002.2166947662.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_9_2_26c0000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: 87bfd820c1a6aa3fb28001e802d57d274cd408a4ba43aad018d37f2f1f1f5901
                            • Instruction ID: b8c9e519fa951c9303280299da133b7ff635053d5a39ccc062bcca8d45cf8098
                            • Opcode Fuzzy Hash: 87bfd820c1a6aa3fb28001e802d57d274cd408a4ba43aad018d37f2f1f1f5901
                            • Instruction Fuzzy Hash: 76318E78A403819FE354EF64E4547793BA6F788711F128529E9218F3D8DBB84C99CF60
                            Function 06C51738 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 817 6c51738-6c5178e 819 6c51790-6c5179c 817->819 820 6c5179e-6c517dd WriteProcessMemory 817->820 819->820 822 6c517e6-6c51816 820->822 823 6c517df-6c517e5 820->823 823->822
                            APIs
                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06C517D0
                            Memory Dump Source
                            • Source File: 00000009.00000002.2170791924.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_9_2_6c50000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID: MemoryProcessWrite
                            • String ID:
                            • API String ID: 3559483778-0
                            • Opcode ID: 7a036203c5292041e4e28f31d9fb612e2107f3842b98d1ee616375917201ebd1
                            • Instruction ID: fb23ab0b6c77194b2eba7d82c005001acd5ef66ae231dfd531754c1319d3e8d0
                            • Opcode Fuzzy Hash: 7a036203c5292041e4e28f31d9fb612e2107f3842b98d1ee616375917201ebd1
                            • Instruction Fuzzy Hash: 38212AB5D003199FCB10CFA9C985BEEBBF5FF48310F148429E959A7240C7789A55CBA4
                            Function 06C51740 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 827 6c51740-6c5178e 829 6c51790-6c5179c 827->829 830 6c5179e-6c517dd WriteProcessMemory 827->830 829->830 832 6c517e6-6c51816 830->832 833 6c517df-6c517e5 830->833 833->832
                            APIs
                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06C517D0
                            Memory Dump Source
                            • Source File: 00000009.00000002.2170791924.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_9_2_6c50000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID: MemoryProcessWrite
                            • String ID:
                            • API String ID: 3559483778-0
                            • Opcode ID: ca39b750feb768f092b2da9b1497bef21f79e6945f5ecfc35e2d427ab78feb8e
                            • Instruction ID: a73b8d6e3368ea46021fefba621ceabe58df9f28da7e0a5be548a461de775244
                            • Opcode Fuzzy Hash: ca39b750feb768f092b2da9b1497bef21f79e6945f5ecfc35e2d427ab78feb8e
                            • Instruction Fuzzy Hash: 4B2139B5D003099FCB10DFAAC885BEEBBF5FF48310F148429E919A7240C7789945CBA4
                            Function 06C51828 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 837 6c51828-6c518bd ReadProcessMemory 840 6c518c6-6c518f6 837->840 841 6c518bf-6c518c5 837->841 841->840
                            APIs
                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06C518B0
                            Memory Dump Source
                            • Source File: 00000009.00000002.2170791924.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_9_2_6c50000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID: MemoryProcessRead
                            • String ID:
                            • API String ID: 1726664587-0
                            • Opcode ID: 059d24a6e475f6c3d82aa8f03623ebbd0eef4883391e17205fd39117119b8dd4
                            • Instruction ID: a421dd05a07e6c4c25022e517609e14e6dba7692b2e47f3635eae677564f1162
                            • Opcode Fuzzy Hash: 059d24a6e475f6c3d82aa8f03623ebbd0eef4883391e17205fd39117119b8dd4
                            • Instruction Fuzzy Hash: CD2114B1C002499FCB10DFAAC885AEEFBF5FF48310F50842AE959A7240C7389941CBA5
                            Function 026CD688 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 845 26cd688-26cd724 DuplicateHandle 846 26cd72d-26cd74a 845->846 847 26cd726-26cd72c 845->847 847->846
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 026CD717
                            Memory Dump Source
                            • Source File: 00000009.00000002.2166947662.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_9_2_26c0000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: d69c5e04580a82e25b10eab44a283601a66d0408179c5c9f6e210ba53f400dc2
                            • Instruction ID: 392eb2589220bbe3997e5173029110acddfcbda583c25ca8290663b4a3536f7e
                            • Opcode Fuzzy Hash: d69c5e04580a82e25b10eab44a283601a66d0408179c5c9f6e210ba53f400dc2
                            • Instruction Fuzzy Hash: 112105B5900248DFDB10CF99D584AEEBFF5FB48310F20802AE918A3310C338A951CFA4
                            Function 06C5116B Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON
                            Download Yara Rule
                            APIs
                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06C511EE
                            Memory Dump Source
                            • Source File: 00000009.00000002.2170791924.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_9_2_6c50000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID: ContextThreadWow64
                            • String ID:
                            • API String ID: 983334009-0
                            • Opcode ID: de836060b942b4e355bf3f528dc628e72dcb9caf867e68f269215915b9f7d872
                            • Instruction ID: 1660199f3749ea91dc8997e67a3ba833fa9aaa9c043eecd300ef9cec596d2123
                            • Opcode Fuzzy Hash: de836060b942b4e355bf3f528dc628e72dcb9caf867e68f269215915b9f7d872
                            • Instruction Fuzzy Hash: 052138B1D002098FDB10DFAAC9847EEBBF5EF48314F14842AD859B7240C7789985CFA4
                            Function 06C51830 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                            Download Yara Rule
                            APIs
                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06C518B0
                            Memory Dump Source
                            • Source File: 00000009.00000002.2170791924.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_9_2_6c50000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID: MemoryProcessRead
                            • String ID:
                            • API String ID: 1726664587-0
                            • Opcode ID: ba577ce82ad23d54ffc753888f967f9e1a7e9d9080f6a098de7680eddbeee3e4
                            • Instruction ID: 6d2f3c2aa18115789d319cd7df10d1c066f998ee45158608bb19728018ac89fa
                            • Opcode Fuzzy Hash: ba577ce82ad23d54ffc753888f967f9e1a7e9d9080f6a098de7680eddbeee3e4
                            • Instruction Fuzzy Hash: 192128B1C003499FCB10DFAAC844AEEFBF5FF48310F10842AE919A7240C738A541CBA5
                            Function 06C51170 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                            Download Yara Rule
                            APIs
                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06C511EE
                            Memory Dump Source
                            • Source File: 00000009.00000002.2170791924.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_9_2_6c50000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID: ContextThreadWow64
                            • String ID:
                            • API String ID: 983334009-0
                            • Opcode ID: 3a48b7fb42cf609fcec241019f1411dd8c72a9191218c5c44fec2880977a2220
                            • Instruction ID: 89ad6b029fc338f6cedd28edb4bd332b0cf19ba3c18930c9ea18da074f42dfa5
                            • Opcode Fuzzy Hash: 3a48b7fb42cf609fcec241019f1411dd8c72a9191218c5c44fec2880977a2220
                            • Instruction Fuzzy Hash: 332118B1D003098FDB10DFAAC8857EEBBF5EF48314F148429D959A7240CB78A985CFA5
                            Function 026CD690 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                            Download Yara Rule
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 026CD717
                            Memory Dump Source
                            • Source File: 00000009.00000002.2166947662.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_9_2_26c0000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: bf9af7cfc2aae7237c09cab72b3ddc23a2aeef239e83852fb98570e037d3d7db
                            • Instruction ID: 69df8243039cb9357d5bce388965178d19ff636312575e899362d8dc0f66c0be
                            • Opcode Fuzzy Hash: bf9af7cfc2aae7237c09cab72b3ddc23a2aeef239e83852fb98570e037d3d7db
                            • Instruction Fuzzy Hash: 5121E4B5900249DFDB10CF9AD584AEEBBF9FB48310F14802AE918A3310C378A940CFA5
                            Function 06C51679 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                            Download Yara Rule
                            APIs
                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06C516EE
                            Memory Dump Source
                            • Source File: 00000009.00000002.2170791924.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_9_2_6c50000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID: AllocVirtual
                            • String ID:
                            • API String ID: 4275171209-0
                            • Opcode ID: 2f51fa22d3057c8b9cc5ba9402d61ed09c64da267057b824723e8ca7fbc69323
                            • Instruction ID: e8c1860fd15a00b12a2594d698387e3ecb661503888fd5800cdfc602ddaeaed3
                            • Opcode Fuzzy Hash: 2f51fa22d3057c8b9cc5ba9402d61ed09c64da267057b824723e8ca7fbc69323
                            • Instruction Fuzzy Hash: AC1156758002499FCB20DFA9C844BEFBBF6EF48320F148419E919B7250CB399981CFA1
                            Function 06C51680 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                            Download Yara Rule
                            APIs
                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06C516EE
                            Memory Dump Source
                            • Source File: 00000009.00000002.2170791924.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_9_2_6c50000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID: AllocVirtual
                            • String ID:
                            • API String ID: 4275171209-0
                            • Opcode ID: ef47e971aff0a62b68c5d41de22f36129f3c6e39264394c07076d4d7b4174dce
                            • Instruction ID: 3c35eb4ce4c102f84cc8c776da8ff8bedb5e0e47ef3bf32f54847673f94c37ab
                            • Opcode Fuzzy Hash: ef47e971aff0a62b68c5d41de22f36129f3c6e39264394c07076d4d7b4174dce
                            • Instruction Fuzzy Hash: FB1126718002499FCB10DFAAC844AEEBBF5EF48320F148419E919A7250CB79A940CFA5
                            Function 06C50C83 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000009.00000002.2170791924.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_9_2_6c50000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID: ResumeThread
                            • String ID:
                            • API String ID: 947044025-0
                            • Opcode ID: 2a2d85399a113ed82974eb6fce2b16f2f682e8e0417db1972a8868e4fa3c88c6
                            • Instruction ID: ce958dbde2f35a44053308c717d5209bd2022a8e05ed9cfd5562c0dc9ddc07e3
                            • Opcode Fuzzy Hash: 2a2d85399a113ed82974eb6fce2b16f2f682e8e0417db1972a8868e4fa3c88c6
                            • Instruction Fuzzy Hash: 941128B1D002498BCB20DFAAC9447EEFBF5EF88324F248419D519B7250C738A945CBA5
                            Function 06C50C88 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000009.00000002.2170791924.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_9_2_6c50000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID: ResumeThread
                            • String ID:
                            • API String ID: 947044025-0
                            • Opcode ID: 5b23d006a5611ac8aca3ce726d39cce54fdb0e5578ace2e071f4692d7bb805dc
                            • Instruction ID: 8cad481578da938ca44bade0ec062b8bb4b49772899ca3af430b81120618ad99
                            • Opcode Fuzzy Hash: 5b23d006a5611ac8aca3ce726d39cce54fdb0e5578ace2e071f4692d7bb805dc
                            • Instruction Fuzzy Hash: DD113AB1D003498FCB20DFAAC8457EEFBF9EF88314F208419D519A7240CB79A545CBA5
                            Function 026CAF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleW.KERNELBASE(00000000), ref: 026CAFFE
                            Memory Dump Source
                            • Source File: 00000009.00000002.2166947662.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_9_2_26c0000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID: HandleModule
                            • String ID:
                            • API String ID: 4139908857-0
                            • Opcode ID: 3ee2490e1c6fe300cfb025e2d1a507872faa7af066633b2305bce689598f4fb0
                            • Instruction ID: 3f590d8c5912ba84e17c908f936c61d3d8dcd5e301691918fd442d68a4dffe4d
                            • Opcode Fuzzy Hash: 3ee2490e1c6fe300cfb025e2d1a507872faa7af066633b2305bce689598f4fb0
                            • Instruction Fuzzy Hash: 831113B5D003498FCB10DF9AC444ADEFBF8EF48324F10845AD529A7210C379A545CFA5
                            Function 06C5287C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                            Download Yara Rule
                            APIs
                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 06C5552D
                            Memory Dump Source
                            • Source File: 00000009.00000002.2170791924.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_9_2_6c50000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID: MessagePost
                            • String ID:
                            • API String ID: 410705778-0
                            • Opcode ID: 7fad3eedb75c77804e796991f1e304142f9bd0fe418175068e7a4794a27f620c
                            • Instruction ID: 3cf2fc7a79a20f5111560788de9b03fe873ed7caf469be82c14a923a534749da
                            • Opcode Fuzzy Hash: 7fad3eedb75c77804e796991f1e304142f9bd0fe418175068e7a4794a27f620c
                            • Instruction Fuzzy Hash: 011106B5800349DFDB10DF9AD845BEEBBF8EB48310F508459E919B7200D379A984CFA5
                            Function 06C554CB Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                            Download Yara Rule
                            APIs
                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 06C5552D
                            Memory Dump Source
                            • Source File: 00000009.00000002.2170791924.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_9_2_6c50000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID: MessagePost
                            • String ID:
                            • API String ID: 410705778-0
                            • Opcode ID: 69489e582a70bbf3c1e8b79456752403a705b3f24c9f8da4f820c723b8651077
                            • Instruction ID: ad05b1e4ea2ff9ebf56f879a73c034c7bc6a24519b4ecdb59d9b1ee40e1e54c2
                            • Opcode Fuzzy Hash: 69489e582a70bbf3c1e8b79456752403a705b3f24c9f8da4f820c723b8651077
                            • Instruction Fuzzy Hash: B21103B5800249CFCB10DF99D944BDEBBF8EB48310F10844AE918B7210C378AA84CFA5
                            Function 00B1D3D8 Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000009.00000002.2166476217.0000000000B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_9_2_b1d000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4718c51ea9391b7181c51106ed75143171dca9ddd2e6519593ddf9878419bf2f
                            • Instruction ID: 17e9bd6d9228aa2a2e57f67f2d951c8f4fb83053f9833f348a8bafd4ef94f115
                            • Opcode Fuzzy Hash: 4718c51ea9391b7181c51106ed75143171dca9ddd2e6519593ddf9878419bf2f
                            • Instruction Fuzzy Hash: 3A213A71500204DFDB05DF14D9C0F56BFA5FB98314F60C5A9E9090B356C33AE896D7A2
                            Function 00B2D1D4 Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000009.00000002.2166531820.0000000000B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_9_2_b2d000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 45221d2f2ca2d2579934ee13db397087375104fce3dfa0973f4312e54f19dbcb
                            • Instruction ID: 037bbb6e4ecaf9d7252d9cc29de37992c7628fc7abb3c6d8ff8256d4cbed1a1d
                            • Opcode Fuzzy Hash: 45221d2f2ca2d2579934ee13db397087375104fce3dfa0973f4312e54f19dbcb
                            • Instruction Fuzzy Hash: A9210471604204EFDB05DF24E9C0F26BBA5FB88314F20C9ADE90D4B296C33AD806CA61
                            Function 00B2D01C Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000009.00000002.2166531820.0000000000B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_9_2_b2d000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ef398dabc6f1fcc9e6a9f4f5235dbdf34543eafe252caaac94107e321408a78b
                            • Instruction ID: f3a6dcb02b9fa39733639b446c1c47a5ba99141937a37917492cbeb5270012b4
                            • Opcode Fuzzy Hash: ef398dabc6f1fcc9e6a9f4f5235dbdf34543eafe252caaac94107e321408a78b
                            • Instruction Fuzzy Hash: 9B21D371504244DFCB14DF24E5D4B17BBA5EB88314F20C5A9D94D4B2A6C33AD807CA61
                            Function 00B2D006 Relevance: .1, Instructions: 63COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000009.00000002.2166531820.0000000000B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_9_2_b2d000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 28911295abaaea766997444fad376872dfce37ca7e6560a45992606700ed04f4
                            • Instruction ID: 1c97cd86030dafa09e18331260620d654fb7dca7d8a24563087078be0968b27b
                            • Opcode Fuzzy Hash: 28911295abaaea766997444fad376872dfce37ca7e6560a45992606700ed04f4
                            • Instruction Fuzzy Hash: E421A4755083809FCB02CF14D994B12BFB1FB46314F28C5DAD8498F2A7C33A980ACB62
                            Function 00B1D3D3 Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000009.00000002.2166476217.0000000000B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_9_2_b1d000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                            • Instruction ID: e568307c233cd5a6929b25392f6c6ef876908c740f2999364683449133d8c74c
                            • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                            • Instruction Fuzzy Hash: 97110372504240CFCB16CF00D5C4B56BFB1FB98324F24C6A9D9090B356C33AE85ACBA2
                            Function 00B2D1CF Relevance: .1, Instructions: 53COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000009.00000002.2166531820.0000000000B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_9_2_b2d000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                            • Instruction ID: 2896b91285c2616ba3133837fdb1941bf79877c1b76bbd4b9ffb1c66e15a00f9
                            • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                            • Instruction Fuzzy Hash: 8F118B75504280DFDB16CF14D5C4B15BBA1FB84314F24CAA9D8494B696C33AD84ACB62
                            Function 00B1D745 Relevance: .0, Instructions: 45COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000009.00000002.2166476217.0000000000B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_9_2_b1d000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5b5ae6dbbd10e077dea5095823aa6c852af8e944a95aabe088f62bd3f703c70b
                            • Instruction ID: 9645296b9a2bab9ea4a2ca54a00f14a85750e17a6a6d3f692e1425b335d9c97f
                            • Opcode Fuzzy Hash: 5b5ae6dbbd10e077dea5095823aa6c852af8e944a95aabe088f62bd3f703c70b
                            • Instruction Fuzzy Hash: 4801DB711043449AE7209F15CDC4BA7FFDCEF45324F68C5AAED090A2C6D6799C81CA75
                            Function 00B1D744 Relevance: .0, Instructions: 36COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000009.00000002.2166476217.0000000000B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_9_2_b1d000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a73cfe6c7dc5aa161ff2f4e6e58bbc3039206dd3c4984a32999a53c1461a58f8
                            • Instruction ID: ca8d33db25678f7793c04735b0a5adb22fff06c41b93d01dbc5872b83224ae0d
                            • Opcode Fuzzy Hash: a73cfe6c7dc5aa161ff2f4e6e58bbc3039206dd3c4984a32999a53c1461a58f8
                            • Instruction Fuzzy Hash: 89F062714043449AE7109F16C888BA3FFD8EF55734F18C59AED485A286C2799C44CBB5

                            Execution Graph

                            Execution Coverage:7.6%
                            Dynamic/Decrypted Code Coverage:100%
                            Signature Coverage:0%
                            Total number of Nodes:88
                            Total number of Limit Nodes:10
                            execution_graph 50169 e84668 50170 e84684 50169->50170 50171 e84696 50170->50171 50173 e847a0 50170->50173 50174 e847c5 50173->50174 50178 e848b0 50174->50178 50182 e848a1 50174->50182 50180 e848d7 50178->50180 50179 e849b4 50179->50179 50180->50179 50186 e84248 50180->50186 50183 e848b0 50182->50183 50184 e84248 CreateActCtxA 50183->50184 50185 e849b4 50183->50185 50184->50185 50187 e85940 CreateActCtxA 50186->50187 50189 e85a03 50187->50189 50190 e8d0b8 50191 e8d0fe 50190->50191 50195 e8d298 50191->50195 50198 e8d289 50191->50198 50192 e8d1eb 50202 e8c9a0 50195->50202 50199 e8d298 50198->50199 50200 e8c9a0 DuplicateHandle 50199->50200 50201 e8d2c6 50200->50201 50201->50192 50203 e8d300 DuplicateHandle 50202->50203 50204 e8d2c6 50203->50204 50204->50192 50205 e8ad38 50206 e8ad47 50205->50206 50209 e8ae30 50205->50209 50214 e8ae20 50205->50214 50210 e8ae64 50209->50210 50211 e8ae41 50209->50211 50210->50206 50211->50210 50212 e8b068 GetModuleHandleW 50211->50212 50213 e8b095 50212->50213 50213->50206 50215 e8ae64 50214->50215 50216 e8ae41 50214->50216 50215->50206 50216->50215 50217 e8b068 GetModuleHandleW 50216->50217 50218 e8b095 50217->50218 50218->50206 50219 6f187c8 50220 6f18953 50219->50220 50221 6f187ee 50219->50221 50221->50220 50223 6f17ef8 50221->50223 50224 6f18a48 PostMessageW 50223->50224 50225 6f18ab4 50224->50225 50225->50221 50226 e3d01c 50227 e3d034 50226->50227 50228 e3d08e 50227->50228 50231 2ba2c08 50227->50231 50240 2ba0ad4 50227->50240 50232 2ba2c18 50231->50232 50233 2ba2c79 50232->50233 50235 2ba2c69 50232->50235 50265 2ba0bfc 50233->50265 50249 2ba2e6c 50235->50249 50255 2ba2d90 50235->50255 50260 2ba2da0 50235->50260 50236 2ba2c77 50241 2ba0adf 50240->50241 50242 2ba2c79 50241->50242 50244 2ba2c69 50241->50244 50243 2ba0bfc CallWindowProcW 50242->50243 50245 2ba2c77 50243->50245 50246 2ba2e6c CallWindowProcW 50244->50246 50247 2ba2da0 CallWindowProcW 50244->50247 50248 2ba2d90 CallWindowProcW 50244->50248 50246->50245 50247->50245 50248->50245 50250 2ba2e7a 50249->50250 50251 2ba2e2a 50249->50251 50269 2ba2e58 50251->50269 50272 2ba2e48 50251->50272 50252 2ba2e40 50252->50236 50257 2ba2da0 50255->50257 50256 2ba2e40 50256->50236 50258 2ba2e58 CallWindowProcW 50257->50258 50259 2ba2e48 CallWindowProcW 50257->50259 50258->50256 50259->50256 50261 2ba2db4 50260->50261 50263 2ba2e58 CallWindowProcW 50261->50263 50264 2ba2e48 CallWindowProcW 50261->50264 50262 2ba2e40 50262->50236 50263->50262 50264->50262 50266 2ba0c07 50265->50266 50267 2ba4309 50266->50267 50268 2ba435a CallWindowProcW 50266->50268 50267->50236 50268->50267 50270 2ba2e69 50269->50270 50276 2ba4292 50269->50276 50270->50252 50273 2ba2e58 50272->50273 50274 2ba2e69 50273->50274 50275 2ba4292 CallWindowProcW 50273->50275 50274->50252 50275->50274 50277 2ba0bfc CallWindowProcW 50276->50277 50278 2ba42aa 50277->50278 50278->50270

                            Executed Functions

                            Function 055B96C8 Relevance: 1.1, Instructions: 1069COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.2272668832.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_55b0000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 27faa85d440fb62a0f63542df31b807ff98974f8c822f6fe4aaf953c02091868
                            • Instruction ID: c685776acdc4d819f7163b03b13a65a4ada0e643cf78576ed1cd7ab8308d5103
                            • Opcode Fuzzy Hash: 27faa85d440fb62a0f63542df31b807ff98974f8c822f6fe4aaf953c02091868
                            • Instruction Fuzzy Hash: E2928F30A006059FDB14DF65D889AAEBBF6FF84310F148968E50A9B3A5DB74EC45CB90
                            Function 055B7660 Relevance: .8, Instructions: 751COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.2272668832.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_55b0000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 144a75868df1f0c4cb9cffd03c2a9651f4dd73d55444a742fe63dcf3c2ef33cb
                            • Instruction ID: 70c91b5f70b1d257217701e2f4c763687eb0fe7465e8ede8626659a008779622
                            • Opcode Fuzzy Hash: 144a75868df1f0c4cb9cffd03c2a9651f4dd73d55444a742fe63dcf3c2ef33cb
                            • Instruction Fuzzy Hash: 0662EA74A102188FDB14DF64D899BADBBB2FF88300F1484A9E50AAB395DF749D85CF50
                            Function 055BB5B0 Relevance: .4, Instructions: 353COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.2272668832.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_55b0000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f3d6ce2b7242a9210ed1ab7acaf26efc554673d912289cd3bb3c13d96b30e7c3
                            • Instruction ID: dc57a529a9d9b7763d579c6c92c539e30739cad54536749fc4977397312e60e2
                            • Opcode Fuzzy Hash: f3d6ce2b7242a9210ed1ab7acaf26efc554673d912289cd3bb3c13d96b30e7c3
                            • Instruction Fuzzy Hash: 7CC17B31A002059FDB049FB5C894AAEBBB6FF89350F158069E909DB3A5EF75DD02CB50
                            Function 055BB170 Relevance: .3, Instructions: 339COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.2272668832.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_55b0000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ed1d4e80b053939fe8689b5c43c1008699cf516f47d601a855d9b2a127364ed9
                            • Instruction ID: 1de4114502ab5d6ee1f4e73c9ef429ac2957ac64f4127450cd8bdb08eb51f663
                            • Opcode Fuzzy Hash: ed1d4e80b053939fe8689b5c43c1008699cf516f47d601a855d9b2a127364ed9
                            • Instruction Fuzzy Hash: 7FD15934A002059FDB14CF69D5899ADBBF2FF88310B148469E80ADB361DBB5ED46CB91
                            Function 00E8AE30 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 209COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 294 e8ae30-e8ae3f 295 e8ae6b-e8ae6f 294->295 296 e8ae41-e8ae4e call e89838 294->296 298 e8ae71-e8ae7b 295->298 299 e8ae83-e8aec4 295->299 303 e8ae50 296->303 304 e8ae64 296->304 298->299 305 e8aed1-e8aedf 299->305 306 e8aec6-e8aece 299->306 354 e8ae56 call e8b0c8 303->354 355 e8ae56 call e8b0b8 303->355 304->295 307 e8aee1-e8aee6 305->307 308 e8af03-e8af05 305->308 306->305 311 e8aee8-e8aeef call e8a814 307->311 312 e8aef1 307->312 310 e8af08-e8af0f 308->310 309 e8ae5c-e8ae5e 309->304 313 e8afa0-e8afb7 309->313 315 e8af1c-e8af23 310->315 316 e8af11-e8af19 310->316 317 e8aef3-e8af01 311->317 312->317 327 e8afb9-e8b018 313->327 318 e8af30-e8af39 call e8a824 315->318 319 e8af25-e8af2d 315->319 316->315 317->310 325 e8af3b-e8af43 318->325 326 e8af46-e8af4b 318->326 319->318 325->326 328 e8af69-e8af76 326->328 329 e8af4d-e8af54 326->329 345 e8b01a-e8b01c 327->345 336 e8af78-e8af96 328->336 337 e8af99-e8af9f 328->337 329->328 330 e8af56-e8af66 call e8a834 call e8a844 329->330 330->328 336->337 346 e8b048-e8b060 345->346 347 e8b01e-e8b046 345->347 349 e8b068-e8b093 GetModuleHandleW 346->349 350 e8b062-e8b065 346->350 347->346 351 e8b09c-e8b0b0 349->351 352 e8b095-e8b09b 349->352 350->349 352->351 354->309 355->309
                            APIs
                            • GetModuleHandleW.KERNELBASE(00000000), ref: 00E8B086
                            Strings
                            Memory Dump Source
                            • Source File: 0000000C.00000002.2252912303.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_e80000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID: HandleModule
                            • String ID: 0V$0V
                            • API String ID: 4139908857-4216712621
                            • Opcode ID: 4fbd7be13a6450226d7adeade3779a1600271aeb6ecf94dd8a10b65f58643ba9
                            • Instruction ID: 1ec84b0b4d42baa29330e909f3afa50438221346453929bcfcff8f6675618347
                            • Opcode Fuzzy Hash: 4fbd7be13a6450226d7adeade3779a1600271aeb6ecf94dd8a10b65f58643ba9
                            • Instruction Fuzzy Hash: 54815770A00B058FE724EF29D14579ABBF1FF88304F04992ED18AE7A51D735E94ACB91
                            Function 00E85935 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1103 e85935-e8593c 1104 e85944-e85a01 CreateActCtxA 1103->1104 1106 e85a0a-e85a64 1104->1106 1107 e85a03-e85a09 1104->1107 1114 e85a73-e85a77 1106->1114 1115 e85a66-e85a69 1106->1115 1107->1106 1116 e85a88 1114->1116 1117 e85a79-e85a85 1114->1117 1115->1114 1119 e85a89 1116->1119 1117->1116 1119->1119
                            APIs
                            • CreateActCtxA.KERNEL32(?), ref: 00E859F1
                            Memory Dump Source
                            • Source File: 0000000C.00000002.2252912303.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_e80000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID: Create
                            • String ID:
                            • API String ID: 2289755597-0
                            • Opcode ID: f22b2ec65ffa91c8bbc4c9be14d2b84a5d9b96613155c8fe2b64ba0a1827bbf0
                            • Instruction ID: ade6dbdeafef3d84d2b722f60aa93f490cc381b0d20f2e5235c810ec3a0a9324
                            • Opcode Fuzzy Hash: f22b2ec65ffa91c8bbc4c9be14d2b84a5d9b96613155c8fe2b64ba0a1827bbf0
                            • Instruction Fuzzy Hash: 2941D1B1C00719CEDB24DFA9C884B9EBBF5BF48304F20815AD418BB255DB75594ACF90
                            Function 02BA0BFC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1120 2ba0bfc-2ba42fc 1123 2ba43ac-2ba43cc call 2ba0ad4 1120->1123 1124 2ba4302-2ba4307 1120->1124 1131 2ba43cf-2ba43dc 1123->1131 1126 2ba435a-2ba4392 CallWindowProcW 1124->1126 1127 2ba4309-2ba4340 1124->1127 1128 2ba439b-2ba43aa 1126->1128 1129 2ba4394-2ba439a 1126->1129 1134 2ba4349-2ba4358 1127->1134 1135 2ba4342-2ba4348 1127->1135 1128->1131 1129->1128 1134->1131 1135->1134
                            APIs
                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 02BA4381
                            Memory Dump Source
                            • Source File: 0000000C.00000002.2254485124.0000000002BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BA0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_2ba0000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID: CallProcWindow
                            • String ID:
                            • API String ID: 2714655100-0
                            • Opcode ID: 44a1c6eb706a5829b74a2a2ee992ffce8cd8752adcad18607d64b3ece0cbafc6
                            • Instruction ID: e6c2254f0f7c025337abcc27316e6ec40e451256f3eecff871bed72a6b12563e
                            • Opcode Fuzzy Hash: 44a1c6eb706a5829b74a2a2ee992ffce8cd8752adcad18607d64b3ece0cbafc6
                            • Instruction Fuzzy Hash: 9E4117B5A04305CFCB14DF99C458AAEBBF5FF88314F24C999D519AB321D374A845CBA0
                            Function 00E84248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1137 e84248-e85a01 CreateActCtxA 1140 e85a0a-e85a64 1137->1140 1141 e85a03-e85a09 1137->1141 1148 e85a73-e85a77 1140->1148 1149 e85a66-e85a69 1140->1149 1141->1140 1150 e85a88 1148->1150 1151 e85a79-e85a85 1148->1151 1149->1148 1153 e85a89 1150->1153 1151->1150 1153->1153
                            APIs
                            • CreateActCtxA.KERNEL32(?), ref: 00E859F1
                            Memory Dump Source
                            • Source File: 0000000C.00000002.2252912303.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_e80000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID: Create
                            • String ID:
                            • API String ID: 2289755597-0
                            • Opcode ID: db48e39532caef392b617a75e44ffcb74bbc78c4a63d60cc2f53dc580c575e10
                            • Instruction ID: cc6d3d6ba07ce28ee9858b95de8442e38e66961666fca417f64ac0de306795a2
                            • Opcode Fuzzy Hash: db48e39532caef392b617a75e44ffcb74bbc78c4a63d60cc2f53dc580c575e10
                            • Instruction Fuzzy Hash: CD41F1B1C00719CBDB24DFA9C884B9DBBB5FF49304F2081AAD408BB251DB75694ACF90
                            Function 00E8C9A0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1154 e8c9a0-e8d394 DuplicateHandle 1156 e8d39d-e8d3ba 1154->1156 1157 e8d396-e8d39c 1154->1157 1157->1156
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00E8D2C6,?,?,?,?,?), ref: 00E8D387
                            Memory Dump Source
                            • Source File: 0000000C.00000002.2252912303.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_e80000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: 97eb263b30a21c440b1528539b87757ab3006ce0bf40668536b5bf6c6d6fb25b
                            • Instruction ID: 4643c6917e2833b4a612af2d407df78e2afafe91101eec533b0f36cc5a9be820
                            • Opcode Fuzzy Hash: 97eb263b30a21c440b1528539b87757ab3006ce0bf40668536b5bf6c6d6fb25b
                            • Instruction Fuzzy Hash: 7721E6B59003089FDB10DF9AD984ADEBBF4FB48310F14805AE918B3350D378A954CFA5
                            Function 00E8D2F9 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1160 e8d2f9-e8d2fe 1161 e8d300-e8d394 DuplicateHandle 1160->1161 1162 e8d39d-e8d3ba 1161->1162 1163 e8d396-e8d39c 1161->1163 1163->1162
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00E8D2C6,?,?,?,?,?), ref: 00E8D387
                            Memory Dump Source
                            • Source File: 0000000C.00000002.2252912303.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_e80000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: b3847a3379c8e87181852b1fb98fb8fb8dc5c56e19719e3599566eb57b4aa59f
                            • Instruction ID: a28fd603565bdb751575c6d9ad0a692800f5d6b995f921f845575ba29a2b7d55
                            • Opcode Fuzzy Hash: b3847a3379c8e87181852b1fb98fb8fb8dc5c56e19719e3599566eb57b4aa59f
                            • Instruction Fuzzy Hash: EC21E4B5900208AFDB10DF9AD985ADEBBF9FB48314F14801AE918B3350C378A950CFA1
                            Function 06F17F68 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1166 6f17f68-6f17f75 1169 6f17f77-6f17f7b 1166->1169 1170 6f17ef8-6f17eff 1166->1170 1171 6f18a48-6f18ab2 PostMessageW 1169->1171 1170->1171 1172 6f18ab4-6f18aba 1171->1172 1173 6f18abb-6f18acf 1171->1173 1172->1173
                            APIs
                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 06F18AA5
                            Memory Dump Source
                            • Source File: 0000000C.00000002.2277950511.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_6f10000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID: MessagePost
                            • String ID:
                            • API String ID: 410705778-0
                            • Opcode ID: fa8e867accd10d20537ecb84c1c2dcc2e27f7d2e508d0ed2df6ed1af7132ced8
                            • Instruction ID: 6289c114fd4dc5ac3d810162e6227c70b711da102a31e7a21b29db564379a9e8
                            • Opcode Fuzzy Hash: fa8e867accd10d20537ecb84c1c2dcc2e27f7d2e508d0ed2df6ed1af7132ced8
                            • Instruction Fuzzy Hash: 5D1129B58003489FDB10DF99C944BDEBFF8EF48360F10845AD568A7290C378A944CFA1
                            Function 06F18A40 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                            Download Yara Rule
                            APIs
                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 06F18AA5
                            Memory Dump Source
                            • Source File: 0000000C.00000002.2277950511.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_6f10000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID: MessagePost
                            • String ID:
                            • API String ID: 410705778-0
                            • Opcode ID: 2d96907870482f5a4ef45d0529beb019b11771b78b66ada0a9ef95c9b924d8ec
                            • Instruction ID: 2eb82569b31322bea4a6aa72e860c6b1dae4f8c7c323f7f7eb25083077759c01
                            • Opcode Fuzzy Hash: 2d96907870482f5a4ef45d0529beb019b11771b78b66ada0a9ef95c9b924d8ec
                            • Instruction Fuzzy Hash: 8A1122B58002499FCB10DF99C848BEEBFF8EB48310F10845AE968A7240C379A544CFA0
                            Function 06F17EF8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                            Download Yara Rule
                            APIs
                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 06F18AA5
                            Memory Dump Source
                            • Source File: 0000000C.00000002.2277950511.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_6f10000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID: MessagePost
                            • String ID:
                            • API String ID: 410705778-0
                            • Opcode ID: e10a6b195b82635a86c2cf5daf2db6b3248fd9efcb1e457562a4c1de244b3833
                            • Instruction ID: 9fd36998c4e45b948d8f4131477804de6ad030d016d4cfe615c8ab026c4fc78d
                            • Opcode Fuzzy Hash: e10a6b195b82635a86c2cf5daf2db6b3248fd9efcb1e457562a4c1de244b3833
                            • Instruction Fuzzy Hash: 831106B58003489FDB10DF99C948BDEBFF8FB58350F10845AE518A7240C379A944CFA1
                            Function 00E8B020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleW.KERNELBASE(00000000), ref: 00E8B086
                            Memory Dump Source
                            • Source File: 0000000C.00000002.2252912303.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_e80000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID: HandleModule
                            • String ID:
                            • API String ID: 4139908857-0
                            • Opcode ID: 28396e8ea8456dc190b7b5b8daa0388e4b68b5ef931b75c2c83dadca7559239b
                            • Instruction ID: 892913daa650b04e93191b6a2cc5c9010c932460787fc7a1dca28480f6553c44
                            • Opcode Fuzzy Hash: 28396e8ea8456dc190b7b5b8daa0388e4b68b5ef931b75c2c83dadca7559239b
                            • Instruction Fuzzy Hash: 5911DFB5C00349CFCB20DF9AC444A9EFBF8EB89314F10841AD529B7210D379A545CFA1
                            Function 055B6D88 Relevance: .4, Instructions: 409COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.2272668832.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_55b0000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0083df45ce6d1a079dd06d16a5eee85b21ed251ef2176c4bc3bbb746ef778b36
                            • Instruction ID: 585b627c9ae539a491a38a86ce08046b4ec09ef1cffecdd8aa2017d3e03179bd
                            • Opcode Fuzzy Hash: 0083df45ce6d1a079dd06d16a5eee85b21ed251ef2176c4bc3bbb746ef778b36
                            • Instruction Fuzzy Hash: D5E146747002158FDB14DF78C898A6A7BF6BF89300F1544A9E90ACB3A2DE75EC45CB91
                            Function 055B6098 Relevance: .4, Instructions: 350COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.2272668832.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_55b0000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1b11b7b3ee4a80b03e8285712d680207047282caa381452d46218d428f79d231
                            • Instruction ID: a7dd67159ac1785a2b7b5afaba67c04bf307b9c1364bb602cf6dc9a31f3f316a
                            • Opcode Fuzzy Hash: 1b11b7b3ee4a80b03e8285712d680207047282caa381452d46218d428f79d231
                            • Instruction Fuzzy Hash: E7E17034A00205DFDB14DF65D998A9EBBB2FF88310F108529E80AA7365DB74EC49CF90
                            Function 055B7C89 Relevance: .3, Instructions: 297COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.2272668832.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_55b0000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8c0a8f385d4102019cb9f0e9e4bd897a88bfb88afa5b31cc9df3b3ca2d8dc370
                            • Instruction ID: 8468d6fb51d04a0bc7ab359e5d269e71b0b8469fb4a327f451c39fd3336bd4f4
                            • Opcode Fuzzy Hash: 8c0a8f385d4102019cb9f0e9e4bd897a88bfb88afa5b31cc9df3b3ca2d8dc370
                            • Instruction Fuzzy Hash: D7D10430A10219CFDB25DF64D858BAD7BB2BF88300F1088A9E90AA7390DF759D85DF50
                            Function 055BE4E0 Relevance: .2, Instructions: 209COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.2272668832.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_55b0000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6fb2a8aa6167805b2a65ddcf14590c2fa4c8e422f3eddfe66500287917b7c026
                            • Instruction ID: a36ffd5c5afd498ee35ee8c6cc8770449c779fc2b82ceac7aced795ec846d8b9
                            • Opcode Fuzzy Hash: 6fb2a8aa6167805b2a65ddcf14590c2fa4c8e422f3eddfe66500287917b7c026
                            • Instruction Fuzzy Hash: 85815B34B042448FEB54DF69D499AAE7BF6BF89310F1844A8E806EB391DE74DC81CB50
                            Function 055BB15F Relevance: .2, Instructions: 194COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.2272668832.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_55b0000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: abf82b017f11775c8a8826cead638526c607449abfdaa28a391ab06fe2b4f8df
                            • Instruction ID: 2b42396d40990aa58921c0459bf4394fa59010ab4661360d1cbd8df4e6855627
                            • Opcode Fuzzy Hash: abf82b017f11775c8a8826cead638526c607449abfdaa28a391ab06fe2b4f8df
                            • Instruction Fuzzy Hash: AD718B34A012059FDB19DF78D4899ADBBF2FF88310B204469E80AE7351DBB1ED46CB91
                            Function 055BD120 Relevance: .2, Instructions: 165COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.2272668832.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_55b0000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 897c9782aa4d76487ff6f70af11dfbfb88b431424831e351598a9655834039f9
                            • Instruction ID: 8c9618cfd3a687d45b9177365330cd3ccb79596f4c2774783cb8b75e0525b3c0
                            • Opcode Fuzzy Hash: 897c9782aa4d76487ff6f70af11dfbfb88b431424831e351598a9655834039f9
                            • Instruction Fuzzy Hash: E151E731A042559FEB04DF78E8A5AEABFF2FF81314F04846AD4458B295EE74D809CBD1
                            Function 055BE4D1 Relevance: .2, Instructions: 156COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.2272668832.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_55b0000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 56a43d97ad1566bc620945138440db23a9fdb175b44353f373bc930cd305c5ab
                            • Instruction ID: b6315043c314bdafd829d8740f82e8afb26359ad454b94af6c10222ade5f6011
                            • Opcode Fuzzy Hash: 56a43d97ad1566bc620945138440db23a9fdb175b44353f373bc930cd305c5ab
                            • Instruction Fuzzy Hash: AB517C34A042849FEB05CF69C499AEDBFF6BF49210F1841A9E406AB3A1DB74DD80CB50
                            Function 055B6459 Relevance: .1, Instructions: 140COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.2272668832.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_55b0000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 528f66c9966abdbd0caf32bd67a9599ad455ad51119552c236c5bb1f61e2a6b7
                            • Instruction ID: 1c4fca072f3242df2b4c272ecfef685b1ce6aaca9daeed139aad43c46890e6fb
                            • Opcode Fuzzy Hash: 528f66c9966abdbd0caf32bd67a9599ad455ad51119552c236c5bb1f61e2a6b7
                            • Instruction Fuzzy Hash: 0251C938A00209DFDB14DFA5D998AADBBB2FF88310F158564E906A7361CB71EC46DF50
                            Function 055BF878 Relevance: .1, Instructions: 113COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.2272668832.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_55b0000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5f6f890b3b93fb3a2f7c47c2ae8584537b0220c30872229ffecc06e1dd8b5843
                            • Instruction ID: cd56d96a84fe2066c71bfccc6f61ee9775272dba0fd12c526752ee3d5156bd6f
                            • Opcode Fuzzy Hash: 5f6f890b3b93fb3a2f7c47c2ae8584537b0220c30872229ffecc06e1dd8b5843
                            • Instruction Fuzzy Hash: A4418F30B043599FEB149B78981966E7FF2BF85300F1448A9E846D77C6EE349E41CB91
                            Function 055BEB97 Relevance: .1, Instructions: 106COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.2272668832.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_55b0000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b320abdda708c2123cff87c13a13c87faca18ea7531b739fe4db017171cb36ad
                            • Instruction ID: 416ccc5ffc20db54f3d7bc5bf546a039586b86e8b8a4efb7a93d51c3ff862f23
                            • Opcode Fuzzy Hash: b320abdda708c2123cff87c13a13c87faca18ea7531b739fe4db017171cb36ad
                            • Instruction Fuzzy Hash: 0F411C74A10504DFDB44DFA8D999AADBBB2FF88304F158068E506AB3B1DF74AD45CB40
                            Function 055BF6F8 Relevance: .1, Instructions: 99COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.2272668832.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_55b0000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f17a0c837b9bcbbb00ea26341c248221cecfde6689a1a593e39b5e6b490ce5a2
                            • Instruction ID: 7a9a469e555692ae35fb999304c5278e1f39dc0fbc14fa74e3373fedebd20019
                            • Opcode Fuzzy Hash: f17a0c837b9bcbbb00ea26341c248221cecfde6689a1a593e39b5e6b490ce5a2
                            • Instruction Fuzzy Hash: 0031E230B042059FEB14DBB8E859BAE7FE6BF88300F144469E50AC7391DF749982CB91
                            Function 055B6E11 Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.2272668832.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_55b0000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b94d861906920214368cca2163e399055aff4ef7d8649c583aceb53b59b3e724
                            • Instruction ID: 755807398f1f3e85718679fac63fd039db58402388243f4a8cba3748318e300e
                            • Opcode Fuzzy Hash: b94d861906920214368cca2163e399055aff4ef7d8649c583aceb53b59b3e724
                            • Instruction Fuzzy Hash: 77213D75700205DFEB14DF64C889AAF7BB6FF88350F148469E9069B361DB71D941CBA0
                            Function 00E2D3D8 Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.2252556038.0000000000E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_e2d000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2c74a5ef4bbf36a5700c9cd7e2810f4f22574740f61316da9f07594d3cd96cd4
                            • Instruction ID: 823c66111e5ab7b8cb4509c182d27c25afe36e6730b891a3f07ab8d0b8cf3a38
                            • Opcode Fuzzy Hash: 2c74a5ef4bbf36a5700c9cd7e2810f4f22574740f61316da9f07594d3cd96cd4
                            • Instruction Fuzzy Hash: F1213A71508204DFDB05EF14EDC0F16BF65FB98324F20C569DA095B256C33AE856D7A2
                            Function 00E3D01C Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.2252637952.0000000000E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E3D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_e3d000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 916a51cfdcca381bb3c00463780a241ed0fc2d350a6e3a2d4bd23062e25f8975
                            • Instruction ID: 43f0e2c324dcd42f9188fc553e2b73e0f39d4a1c0551ef660a4465f7a5336f7e
                            • Opcode Fuzzy Hash: 916a51cfdcca381bb3c00463780a241ed0fc2d350a6e3a2d4bd23062e25f8975
                            • Instruction Fuzzy Hash: AD21F571508204DFCB19DF24E9C8B16BF66FB84714F20C569D9495B296C33AD807CE61
                            Function 055B8BC0 Relevance: .1, Instructions: 65COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.2272668832.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_55b0000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1b71dd86a6a75048921f180474bff581d3e79705367309931d3a06bfd3d7bdc4
                            • Instruction ID: 205db3ec587ac29c16e319ba7ddcd226a67b9a016d5b3978ae23b072ac82673b
                            • Opcode Fuzzy Hash: 1b71dd86a6a75048921f180474bff581d3e79705367309931d3a06bfd3d7bdc4
                            • Instruction Fuzzy Hash: E92160706001069FDB14DF65DE85AAEBBBAFF85304B148428D50DAB265EB70ED06CB61
                            Function 00E3D005 Relevance: .1, Instructions: 62COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.2252637952.0000000000E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E3D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_e3d000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5f8eff7d9b774f67b6fd983c29a8c1e80127ef526ea10c94d850777462891b37
                            • Instruction ID: d905e3ad4b2ca580aee0a3b6c744ea9b8eb50eede2625314d7f30922603eb1fe
                            • Opcode Fuzzy Hash: 5f8eff7d9b774f67b6fd983c29a8c1e80127ef526ea10c94d850777462891b37
                            • Instruction Fuzzy Hash: 5A21807550D3808FCB06CF24D994715BF72EB46314F28C5EAD8498F2A7C33A980ACB62
                            Function 055BE428 Relevance: .1, Instructions: 58COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.2272668832.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_55b0000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 569d67ec76c986104de59173cca62392240ea85fd51db972913ee295dcf6baaf
                            • Instruction ID: 1c0448787c99b1c1951ca16968f401af48532ce773d4ef18e5e1d6d220a5de4d
                            • Opcode Fuzzy Hash: 569d67ec76c986104de59173cca62392240ea85fd51db972913ee295dcf6baaf
                            • Instruction Fuzzy Hash: B311C130B04348AFEB00DB78D41AAAEBFF5BF85300F5444AAE809DB781DE749D018B91
                            Function 055B8BD0 Relevance: .1, Instructions: 58COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.2272668832.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_55b0000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 52a361ef462e8563f9b5b244709d7f6252f623773dd18fc35ae9e959e72dbfee
                            • Instruction ID: 1065ee7bb7ef754146a65bcdfa69919353f054b4d7045bb986ef66f523ea5cc5
                            • Opcode Fuzzy Hash: 52a361ef462e8563f9b5b244709d7f6252f623773dd18fc35ae9e959e72dbfee
                            • Instruction Fuzzy Hash: BE112134700106DFDB14DF65DA8996EBBBAFF85304B148428D50DAB265EB70ED06CB61
                            Function 00E2D3D3 Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.2252556038.0000000000E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_e2d000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                            • Instruction ID: 3d3643dc69e69bf9653ca35f199bf09cdffe9ebb31b46b7d61cced232f8d881a
                            • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                            • Instruction Fuzzy Hash: D1112672408280CFDB12DF00D9C4B16BF71FB94324F24C6A9D9094B256C33AE85ACBA2
                            Function 055BE838 Relevance: .1, Instructions: 55COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.2272668832.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_55b0000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: feb920a701a133c4412d2adecf1c93bd90604d5aaa240c2a59a1cdbc3acc1524
                            • Instruction ID: 3a6831e5d0299d7425110cade2d2366f441ef8ff6403c98178659620cd4f6be2
                            • Opcode Fuzzy Hash: feb920a701a133c4412d2adecf1c93bd90604d5aaa240c2a59a1cdbc3acc1524
                            • Instruction Fuzzy Hash: 0E11C431E046288FDB14DB69D81A5DEBBF5BF8D700F04856AE402B7260DFB09944CBA0
                            Function 055BE828 Relevance: .1, Instructions: 55COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.2272668832.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_55b0000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 320b4b5241c89ac2ac427b42fb6992b97b557eddd1188f80520ed2a46f2d7caa
                            • Instruction ID: 18b2add651269c0a859d287441691a377d22e9b5769bba3f5cd8a611c8ebf4ac
                            • Opcode Fuzzy Hash: 320b4b5241c89ac2ac427b42fb6992b97b557eddd1188f80520ed2a46f2d7caa
                            • Instruction Fuzzy Hash: FB11B671D046198FDB15DF68C95AADEBBF5BF49700F048569E002B7250DFB49444CBA0
                            Function 055BD690 Relevance: .0, Instructions: 45COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.2272668832.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_55b0000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 43280f6a68a3a0a9291778900dc3c6cee359f87d0063f7431234f429c293a2bb
                            • Instruction ID: 400823d50859ca6ea27a333f361428dabcd7099710d76f28d233577d64f9c01b
                            • Opcode Fuzzy Hash: 43280f6a68a3a0a9291778900dc3c6cee359f87d0063f7431234f429c293a2bb
                            • Instruction Fuzzy Hash: 0A01F2313106089BDB149B64F84EBAE7BFAFBC0621F144568E406972C0DE74980ADB61
                            Function 00E2DA81 Relevance: .0, Instructions: 45COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.2252556038.0000000000E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_e2d000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 52458ab197ce75a3f6dafe230bc3b051230e49e75c4f341da66136f6a8ff6a33
                            • Instruction ID: a5507028800d4096115efbacac0ea9db009b76866557419795d4e1e4c882a87d
                            • Opcode Fuzzy Hash: 52458ab197ce75a3f6dafe230bc3b051230e49e75c4f341da66136f6a8ff6a33
                            • Instruction Fuzzy Hash: FF012BB100C3549EE7108B19DD84F67BF9CEF55324F18C46AEE092A282C2799C00CA71
                            Function 055BD6A0 Relevance: .0, Instructions: 40COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.2272668832.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_55b0000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 19594540ddcbb10decb88a1ebcbd5ca54378e0a556bbddc2ab27111a614330cf
                            • Instruction ID: 62509262aa665980b422648c177b04d6ecf4739050bf1a065d82fb535c13a105
                            • Opcode Fuzzy Hash: 19594540ddcbb10decb88a1ebcbd5ca54378e0a556bbddc2ab27111a614330cf
                            • Instruction Fuzzy Hash: BAF0F4313106085BDB149F64B44DBBE7BFBFBC0611F044569E406972C0DF709809DB90
                            Function 055BD720 Relevance: .0, Instructions: 38COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.2272668832.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_55b0000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1f991a620554da5dc29fa83499f04053637ddd6cbc5f938d69120ac5c5d6cfca
                            • Instruction ID: 129cbb99d3c46cab0162a1f575defc29990cb611a8d4e267a1abefbef6bf45a0
                            • Opcode Fuzzy Hash: 1f991a620554da5dc29fa83499f04053637ddd6cbc5f938d69120ac5c5d6cfca
                            • Instruction Fuzzy Hash: 5CF090317402589FF714A7A4B81E7FA76AAF780705F140469E506CB2D0DEE59C408BD0
                            Function 055BF868 Relevance: .0, Instructions: 38COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.2272668832.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_55b0000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 752182778c6fc7a488b8d0463d279bae0d2029a74f7de43925dfa40559f63e9b
                            • Instruction ID: bf754458e8abfc12b1359fc46b28790d0f80f4794d749c97be8e2af8c4a9e59f
                            • Opcode Fuzzy Hash: 752182778c6fc7a488b8d0463d279bae0d2029a74f7de43925dfa40559f63e9b
                            • Instruction Fuzzy Hash: BCF08B35B04100EBEB14DA58EC19BEABB71FF84225F44846DF90B83E40C771E452C780
                            Function 00E2DA80 Relevance: .0, Instructions: 36COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.2252556038.0000000000E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_e2d000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d6bc11d41f8b44bd5c4dc198470ac7f02d986bb4cbb04a9069993aef9a4bccaf
                            • Instruction ID: e3c779b4e46dc715a5c7d8f54bdfe3fbf0200802519763888f29af7b0f9ba58a
                            • Opcode Fuzzy Hash: d6bc11d41f8b44bd5c4dc198470ac7f02d986bb4cbb04a9069993aef9a4bccaf
                            • Instruction Fuzzy Hash: 65F0C2710083949EE7108A0ADC84B63FF98EF51338F18C45AFE081B282C2799C40CA70
                            Function 055B7650 Relevance: .0, Instructions: 32COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.2272668832.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_55b0000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2388ec1be79f8d6f4beea3894c8b0ada6fc2dd1b813d248c3478facef2667033
                            • Instruction ID: 300099e5dc565b808951477c84a4bec5c90777d6931fd2231a88dbd1646448b5
                            • Opcode Fuzzy Hash: 2388ec1be79f8d6f4beea3894c8b0ada6fc2dd1b813d248c3478facef2667033
                            • Instruction Fuzzy Hash: F9F0E9B59141559BDB11CA64EC84BDABBA9FB88250F0048BBD546E3340D6748998CF70
                            Function 055BF6E8 Relevance: .0, Instructions: 26COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.2272668832.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_55b0000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 16af6f53f19d294f9bafac2c4074ac05fa8ee798223acf722780378731ef6eeb
                            • Instruction ID: d15b59275fec5648b2eeaf962bf95d5ad559be129c3c79ddb88b5f8a2cb7a445
                            • Opcode Fuzzy Hash: 16af6f53f19d294f9bafac2c4074ac05fa8ee798223acf722780378731ef6eeb
                            • Instruction Fuzzy Hash: 11F023302087408FE7455B28F95DA5D3FB9BF41611B4510ABF047CB672DF609885D750
                            Function 055BD8B2 Relevance: .0, Instructions: 15COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.2272668832.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_55b0000_pnizSfmxsGVsXD.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 10230ef4737cbe7962328c275877417a7d39cfe37dd44a9c65c3f5ae55f1cc25
                            • Instruction ID: cf403a6a5b1660e0f2804ec38456ca8ad906ebb10d35d62e2e22fbf80e48e14e
                            • Opcode Fuzzy Hash: 10230ef4737cbe7962328c275877417a7d39cfe37dd44a9c65c3f5ae55f1cc25
                            • Instruction Fuzzy Hash: 7FD0A765E40248CBE7109B14AC1DB5B2AFAFB81106F8455A8D412876A8ED68C901CFA1