Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
datasheet.exe

Overview

General Information

Sample name:datasheet.exe
Analysis ID:1559975
MD5:27270bf6a969355e90e16289379cd6d1
SHA1:913f562df18cf266c3ae94605cce6c3ce084d472
SHA256:7292590b86e83ca5c6993b8c56578740d1f066c91baf3d95bee2bd34d9153f15
Tags:exeuser-lowmal3
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • datasheet.exe (PID: 7372 cmdline: "C:\Users\user\Desktop\datasheet.exe" MD5: 27270BF6A969355E90E16289379CD6D1)
    • powershell.exe (PID: 7572 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\datasheet.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7604 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rjBdvmaV.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 8028 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 7640 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rjBdvmaV" /XML "C:\Users\user\AppData\Local\Temp\tmp43D7.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 7824 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • rjBdvmaV.exe (PID: 7944 cmdline: C:\Users\user\AppData\Roaming\rjBdvmaV.exe MD5: 27270BF6A969355E90E16289379CD6D1)
    • schtasks.exe (PID: 7192 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rjBdvmaV" /XML "C:\Users\user\AppData\Local\Temp\tmp5B67.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 332 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.yandex.com", "Username": "vladmir@propelind-com.cf", "Password": "marcellinus360"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.1481776134.00000000022CC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000009.00000002.1479276700.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000009.00000002.1479276700.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000009.00000002.1481776134.00000000022A1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000009.00000002.1481776134.00000000022A1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 12 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            9.2.RegSvcs.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              9.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                9.2.RegSvcs.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x3501d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x3508f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x35119:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x351ab:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x35215:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x35287:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x3531d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x353ad:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                0.2.datasheet.exe.4014730.2.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  0.2.datasheet.exe.4014730.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 10 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\datasheet.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\datasheet.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\datasheet.exe", ParentImage: C:\Users\user\Desktop\datasheet.exe, ParentProcessId: 7372, ParentProcessName: datasheet.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\datasheet.exe", ProcessId: 7572, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\datasheet.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\datasheet.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\datasheet.exe", ParentImage: C:\Users\user\Desktop\datasheet.exe, ParentProcessId: 7372, ParentProcessName: datasheet.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\datasheet.exe", ProcessId: 7572, ProcessName: powershell.exe
                    Sigma detected: Suspicious Add Scheduled Task Parent
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rjBdvmaV" /XML "C:\Users\user\AppData\Local\Temp\tmp5B67.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rjBdvmaV" /XML "C:\Users\user\AppData\Local\Temp\tmp5B67.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\rjBdvmaV.exe, ParentImage: C:\Users\user\AppData\Roaming\rjBdvmaV.exe, ParentProcessId: 7944, ParentProcessName: rjBdvmaV.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rjBdvmaV" /XML "C:\Users\user\AppData\Local\Temp\tmp5B67.tmp", ProcessId: 7192, ProcessName: schtasks.exe
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 77.88.21.158, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 7824, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49711
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rjBdvmaV" /XML "C:\Users\user\AppData\Local\Temp\tmp43D7.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rjBdvmaV" /XML "C:\Users\user\AppData\Local\Temp\tmp43D7.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\datasheet.exe", ParentImage: C:\Users\user\Desktop\datasheet.exe, ParentProcessId: 7372, ParentProcessName: datasheet.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rjBdvmaV" /XML "C:\Users\user\AppData\Local\Temp\tmp43D7.tmp", ProcessId: 7640, ProcessName: schtasks.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\datasheet.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\datasheet.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\datasheet.exe", ParentImage: C:\Users\user\Desktop\datasheet.exe, ParentProcessId: 7372, ParentProcessName: datasheet.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\datasheet.exe", ProcessId: 7572, ProcessName: powershell.exe

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Scheduled temp file as task from temp location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rjBdvmaV" /XML "C:\Users\user\AppData\Local\Temp\tmp43D7.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rjBdvmaV" /XML "C:\Users\user\AppData\Local\Temp\tmp43D7.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\datasheet.exe", ParentImage: C:\Users\user\Desktop\datasheet.exe, ParentProcessId: 7372, ParentProcessName: datasheet.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rjBdvmaV" /XML "C:\Users\user\AppData\Local\Temp\tmp43D7.tmp", ProcessId: 7640, ProcessName: schtasks.exe

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: datasheet.exeAvira: detected
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeAvira: detection malicious, Label: HEUR/AGEN.1305393
                    Found malware configuration
                    Source: 0.2.datasheet.exe.4050f50.3.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.yandex.com", "Username": "vladmir@propelind-com.cf", "Password": "marcellinus360"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeReversingLabs: Detection: 52%
                    Multi AV Scanner detection for submitted file
                    Source: datasheet.exeReversingLabs: Detection: 52%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: datasheet.exeJoe Sandbox ML: detected
                    Source: datasheet.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.8:49709 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.8:49713 version: TLS 1.2
                    Source: datasheet.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: hxtm.pdbSHA256 source: datasheet.exe, rjBdvmaV.exe.0.dr
                    Source: Binary string: hxtm.pdb source: datasheet.exe, rjBdvmaV.exe.0.dr
                    Source: C:\Users\user\Desktop\datasheet.exeCode function: 4x nop then jmp 07A001ADh0_2_07A004EE
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeCode function: 4x nop then jmp 0573F355h10_2_0573F696
                    Source: global trafficTCP traffic: 192.168.2.8:49711 -> 77.88.21.158:587
                    Source: Joe Sandbox ViewIP Address: 77.88.21.158 77.88.21.158
                    Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                    Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: global trafficTCP traffic: 192.168.2.8:49711 -> 77.88.21.158:587
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                    Source: global trafficDNS traffic detected: DNS query: smtp.yandex.com
                    Source: RegSvcs.exe, 0000000E.00000002.3875598842.0000000005F12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.gl
                    Source: RegSvcs.exe, 0000000E.00000002.3874030574.00000000054D0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000002C6F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000002CF4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3874907924.0000000005E80000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000002F29000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3861944532.0000000000F03000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3874030574.00000000054DE000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000003023000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000002D95000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3875598842.0000000005F12000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000002E8A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000002BDB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gsrsaovsslca2018.crl0j
                    Source: RegSvcs.exe, 0000000E.00000002.3862783445.0000000002C6F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000002CF4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3874907924.0000000005E80000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000002F29000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3861427865.0000000000E58000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3874030574.00000000054DE000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000003023000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000002D95000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3875598842.0000000005F12000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3861427865.0000000000E4A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000002E8A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3873923149.00000000054C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
                    Source: RegSvcs.exe, 0000000E.00000002.3862783445.0000000002C6F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000002CF4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3874907924.0000000005E80000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000002F29000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3861944532.0000000000F03000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3874030574.00000000054DE000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000003023000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000002D95000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3875598842.0000000005F12000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000002E8A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root.crl0G
                    Source: RegSvcs.exe, 00000009.00000002.1485890032.0000000005780000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://microsoft.co3f
                    Source: RegSvcs.exe, 0000000E.00000002.3874030574.00000000054D0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000002C6F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000002CF4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3874907924.0000000005E80000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000002F29000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3861944532.0000000000F03000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3874030574.00000000054DE000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000003023000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000002D95000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3875598842.0000000005F12000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000002E8A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000002BDB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/gsrsaovsslca20180V
                    Source: RegSvcs.exe, 0000000E.00000002.3862783445.0000000002C6F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000002CF4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3874907924.0000000005E80000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000002F29000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3861944532.0000000000F03000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3874030574.00000000054DE000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000003023000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000002D95000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3875598842.0000000005F12000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000002E8A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/rootr103
                    Source: RegSvcs.exe, 0000000E.00000002.3862783445.0000000002C6F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000002CF4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3874907924.0000000005E80000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000002F29000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3861427865.0000000000E58000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3874030574.00000000054DE000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000003023000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000002D95000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3875598842.0000000005F12000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3861427865.0000000000E4A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000002E8A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3873923149.00000000054C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr306
                    Source: datasheet.exe, 00000000.00000002.1448835097.0000000002FF5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1481776134.0000000002251000.00000004.00000800.00020000.00000000.sdmp, rjBdvmaV.exe, 0000000A.00000002.1507025767.0000000002505000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000002B9C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: RegSvcs.exe, 0000000E.00000002.3874030574.00000000054D0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000002C6F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000002CF4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3874907924.0000000005E80000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000002F29000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3861944532.0000000000F03000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3874030574.00000000054DE000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000003023000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000002D95000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3875598842.0000000005F12000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000002E8A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000002BDB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gsrsaovsslca2018.crt07
                    Source: RegSvcs.exe, 00000009.00000002.1481776134.00000000022CC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000002C6F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000002CF4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000002F29000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000003023000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000002D95000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000002E8A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://smtp.yandex.com
                    Source: datasheet.exe, 00000000.00000002.1449663902.0000000003F89000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1479276700.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: datasheet.exe, 00000000.00000002.1449663902.0000000003F89000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1479276700.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1481776134.0000000002251000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000002B9C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                    Source: RegSvcs.exe, 00000009.00000002.1481776134.0000000002251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                    Source: RegSvcs.exe, 00000009.00000002.1481776134.0000000002251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                    Source: RegSvcs.exe, 0000000E.00000002.3874030574.00000000054D0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000002C6F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000002CF4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3874907924.0000000005E80000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000002F29000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3861944532.0000000000F03000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3861427865.0000000000E58000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3874030574.00000000054DE000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000003023000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000002D95000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3875598842.0000000005F12000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3861427865.0000000000E4A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000002E8A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3873923149.00000000054C0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000002BDB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/0
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.8:49709 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.8:49713 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.datasheet.exe.4050f50.3.raw.unpack, J8Fc3eM3B.cs.Net Code: _0f2dkte
                    Source: 0.2.datasheet.exe.4014730.2.raw.unpack, J8Fc3eM3B.cs.Net Code: _0f2dkte
                    Installs a global keyboard hook
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow created: window name: CLIPBRDWNDCLASS

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.datasheet.exe.4014730.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.datasheet.exe.4050f50.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.datasheet.exe.4050f50.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.datasheet.exe.4014730.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess Stats: CPU usage > 49%
                    Source: C:\Users\user\Desktop\datasheet.exeCode function: 0_2_02DEDF640_2_02DEDF64
                    Source: C:\Users\user\Desktop\datasheet.exeCode function: 0_2_05497C080_2_05497C08
                    Source: C:\Users\user\Desktop\datasheet.exeCode function: 0_2_054900400_2_05490040
                    Source: C:\Users\user\Desktop\datasheet.exeCode function: 0_2_054900060_2_05490006
                    Source: C:\Users\user\Desktop\datasheet.exeCode function: 0_2_0549A0B10_2_0549A0B1
                    Source: C:\Users\user\Desktop\datasheet.exeCode function: 0_2_077C16F80_2_077C16F8
                    Source: C:\Users\user\Desktop\datasheet.exeCode function: 0_2_077C16E80_2_077C16E8
                    Source: C:\Users\user\Desktop\datasheet.exeCode function: 0_2_077CA4280_2_077CA428
                    Source: C:\Users\user\Desktop\datasheet.exeCode function: 0_2_077CC4B00_2_077CC4B0
                    Source: C:\Users\user\Desktop\datasheet.exeCode function: 0_2_077CC4A30_2_077CC4A3
                    Source: C:\Users\user\Desktop\datasheet.exeCode function: 0_2_077C9FF00_2_077C9FF0
                    Source: C:\Users\user\Desktop\datasheet.exeCode function: 0_2_077CBB000_2_077CBB00
                    Source: C:\Users\user\Desktop\datasheet.exeCode function: 0_2_077CA8600_2_077CA860
                    Source: C:\Users\user\Desktop\datasheet.exeCode function: 0_2_07A01EF80_2_07A01EF8
                    Source: C:\Users\user\Desktop\datasheet.exeCode function: 0_2_07A035700_2_07A03570
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_020B4A889_2_020B4A88
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_020BA9589_2_020BA958
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_020B3E709_2_020B3E70
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_020B41B89_2_020B41B8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_020BFB489_2_020BFB48
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_05D545A09_2_05D545A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_05D535509_2_05D53550
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_05D5A1D89_2_05D5A1D8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_05D510009_2_05D51000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_05D592789_2_05D59278
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_05D5E2609_2_05D5E260
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_05D55DD09_2_05D55DD0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_05D5C4089_2_05D5C408
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_05D556D89_2_05D556D8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_05D550589_2_05D55058
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_05D53C8B9_2_05D53C8B
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeCode function: 10_2_00A2DF6410_2_00A2DF64
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeCode function: 10_2_0573A42810_2_0573A428
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeCode function: 10_2_0573C4B010_2_0573C4B0
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeCode function: 10_2_0573C4A110_2_0573C4A1
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeCode function: 10_2_057316F810_2_057316F8
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeCode function: 10_2_057316C110_2_057316C1
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeCode function: 10_2_05739FF010_2_05739FF0
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeCode function: 10_2_0573A86010_2_0573A860
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeCode function: 10_2_0573BB0010_2_0573BB00
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeCode function: 10_2_0A13102110_2_0A131021
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeCode function: 10_2_0A1326A810_2_0A1326A8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_011141B814_2_011141B8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0111AA2214_2_0111AA22
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01114A8814_2_01114A88
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01113E7014_2_01113E70
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0111FB4814_2_0111FB48
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0649927014_2_06499270
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0649100014_2_06491000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0649E4D714_2_0649E4D7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0649354814_2_06493548
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06495DC814_2_06495DC8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0649A1D014_2_0649A1D0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0649459814_2_06494598
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_064956D014_2_064956D0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0649032A14_2_0649032A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0649505014_2_06495050
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0649C40014_2_0649C400
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06493C8314_2_06493C83
                    Source: datasheet.exe, 00000000.00000002.1447032579.000000000109E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs datasheet.exe
                    Source: datasheet.exe, 00000000.00000002.1449663902.0000000003F89000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamef20b0739-611c-4257-8b83-aec156cdf589.exe4 vs datasheet.exe
                    Source: datasheet.exe, 00000000.00000002.1448835097.0000000002FF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamef20b0739-611c-4257-8b83-aec156cdf589.exe4 vs datasheet.exe
                    Source: datasheet.exe, 00000000.00000002.1448835097.0000000002F81000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs datasheet.exe
                    Source: datasheet.exe, 00000000.00000002.1458138291.0000000008070000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs datasheet.exe
                    Source: datasheet.exe, 00000000.00000002.1449663902.00000000041FF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs datasheet.exe
                    Source: datasheet.exe, 00000000.00000000.1392393474.0000000000C02000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamehxtm.exeB vs datasheet.exe
                    Source: datasheet.exe, 00000000.00000002.1456692777.0000000005780000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs datasheet.exe
                    Source: datasheet.exe, 00000000.00000002.1457249341.00000000076D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamehxtm.exeB vs datasheet.exe
                    Source: datasheet.exeBinary or memory string: OriginalFilenamehxtm.exeB vs datasheet.exe
                    Source: datasheet.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.datasheet.exe.4014730.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.datasheet.exe.4050f50.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.datasheet.exe.4050f50.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.datasheet.exe.4014730.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: datasheet.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: rjBdvmaV.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.datasheet.exe.4050f50.3.raw.unpack, Dn9SD.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.datasheet.exe.4050f50.3.raw.unpack, Dn9SD.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.datasheet.exe.4050f50.3.raw.unpack, VM8ZCyu.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.datasheet.exe.4050f50.3.raw.unpack, VM8ZCyu.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.datasheet.exe.4050f50.3.raw.unpack, VM8ZCyu.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.datasheet.exe.4050f50.3.raw.unpack, VM8ZCyu.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.datasheet.exe.4050f50.3.raw.unpack, xJtxdMb61s.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.datasheet.exe.4050f50.3.raw.unpack, xJtxdMb61s.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 0.2.datasheet.exe.4222b90.1.raw.unpack, NgqCesrosgMKMwD7af.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.datasheet.exe.8070000.5.raw.unpack, NgqCesrosgMKMwD7af.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.datasheet.exe.4222b90.1.raw.unpack, M92ut0D7FdoxnVW2Co.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.datasheet.exe.4222b90.1.raw.unpack, M92ut0D7FdoxnVW2Co.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.datasheet.exe.4222b90.1.raw.unpack, M92ut0D7FdoxnVW2Co.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.datasheet.exe.8070000.5.raw.unpack, M92ut0D7FdoxnVW2Co.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.datasheet.exe.8070000.5.raw.unpack, M92ut0D7FdoxnVW2Co.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.datasheet.exe.8070000.5.raw.unpack, M92ut0D7FdoxnVW2Co.csSecurity API names: _0020.AddAccessRule
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@19/15@2/2
                    Source: C:\Users\user\Desktop\datasheet.exeFile created: C:\Users\user\AppData\Roaming\rjBdvmaV.exeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeMutant created: \Sessions\1\BaseNamedObjects\hYTLeg
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7580:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7172:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7616:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7676:120:WilError_03
                    Source: C:\Users\user\Desktop\datasheet.exeFile created: C:\Users\user\AppData\Local\Temp\tmp43D7.tmpJump to behavior
                    Source: datasheet.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: datasheet.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\datasheet.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: datasheet.exeReversingLabs: Detection: 52%
                    Source: C:\Users\user\Desktop\datasheet.exeFile read: C:\Users\user\Desktop\datasheet.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\datasheet.exe "C:\Users\user\Desktop\datasheet.exe"
                    Source: C:\Users\user\Desktop\datasheet.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\datasheet.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\datasheet.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rjBdvmaV.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\datasheet.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rjBdvmaV" /XML "C:\Users\user\AppData\Local\Temp\tmp43D7.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\datasheet.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\rjBdvmaV.exe C:\Users\user\AppData\Roaming\rjBdvmaV.exe
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rjBdvmaV" /XML "C:\Users\user\AppData\Local\Temp\tmp5B67.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                    Source: C:\Users\user\Desktop\datasheet.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\datasheet.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rjBdvmaV.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rjBdvmaV" /XML "C:\Users\user\AppData\Local\Temp\tmp43D7.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rjBdvmaV" /XML "C:\Users\user\AppData\Local\Temp\tmp5B67.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\Desktop\datasheet.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\datasheet.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: datasheet.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: datasheet.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: datasheet.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: hxtm.pdbSHA256 source: datasheet.exe, rjBdvmaV.exe.0.dr
                    Source: Binary string: hxtm.pdb source: datasheet.exe, rjBdvmaV.exe.0.dr

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: datasheet.exe, MainForm.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
                    Source: rjBdvmaV.exe.0.dr, MainForm.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
                    Source: 0.2.datasheet.exe.4222b90.1.raw.unpack, M92ut0D7FdoxnVW2Co.cs.Net Code: v37aK9O4Lj System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.datasheet.exe.8070000.5.raw.unpack, M92ut0D7FdoxnVW2Co.cs.Net Code: v37aK9O4Lj System.Reflection.Assembly.Load(byte[])
                    Source: datasheet.exeStatic PE information: 0xBE7E5369 [Sat Apr 11 03:52:09 2071 UTC]
                    Source: C:\Users\user\Desktop\datasheet.exeCode function: 0_2_02DEE768 push esp; retf 0_2_02DEE769
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_020BA6C8 push F40487CCh; retf 9_2_020BA855
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_020B0C77 push edi; retf 9_2_020B0C7A
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeCode function: 10_2_0573FD36 push es; retf 10_2_0573FD37
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0111A6C8 push F4050ECCh; retf 14_2_0111A855
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01110C77 push edi; retf 14_2_01110C7A
                    Source: datasheet.exeStatic PE information: section name: .text entropy: 7.978892669414508
                    Source: rjBdvmaV.exe.0.drStatic PE information: section name: .text entropy: 7.978892669414508
                    Source: 0.2.datasheet.exe.4222b90.1.raw.unpack, hde3RbaIEn5B3Fvoah.csHigh entropy of concatenated method names: 'spi2bgqCes', 'Hsg2DMKMwD', 'D3Y2fMWgfn', 'O272FkFF8r', 'vgG2TRsrXg', 'TSu294AE5N', 'DQ9wARzKwJpxbqInae', 'DmVRHSAGMh4CbfCQn0U', 'oKq223HaD3', 'IUs2gMUE2I'
                    Source: 0.2.datasheet.exe.4222b90.1.raw.unpack, FfGsTDw6Td8PUW3LpD.csHigh entropy of concatenated method names: 'R0VbEq8AtW', 'qQgbXtDE5K', 'zXtbAaZNJG', 'iM5A8gS6c9', 'sD7AzOKDwa', 'PVPbZctUnB', 'CmLb2hIK9K', 'QBIbInue99', 'R3EbgT5pCv', 'rgIbap4FJK'
                    Source: 0.2.datasheet.exe.4222b90.1.raw.unpack, Iqs7MTepbjsKKQjR2O.csHigh entropy of concatenated method names: 'sDyBrcLojU', 'PT4BQFX8YX', 'KkABspX6xU', 'YqhBoauqfe', 'FGeBYuRspH', 'mppBvgWb5r', 'Tj4Bw6fQ02', 'fJKBOO7PjV', 'tPeBioV8Da', 'cqPBUGeX5B'
                    Source: 0.2.datasheet.exe.4222b90.1.raw.unpack, x5KIxnzF6SaxDs16xw.csHigh entropy of concatenated method names: 'pq5Pp5MwDM', 'aVPPrXqBSv', 'yXkPQhnbdD', 'zPMPsCfXvl', 'guqPoRfoss', 'FetPYHZSP5', 'b7ZPvqUACv', 'v9nPRDKh48', 'd0EPHTBqmk', 'WKaPdfQBWK'
                    Source: 0.2.datasheet.exe.4222b90.1.raw.unpack, yZiT4V74dShVkQZUws.csHigh entropy of concatenated method names: 'y0MAj8bxm8', 'zaEAxMcsMe', 'GOiAc2DGLv', 'ToString', 'XVcAWihUtQ', 'NpKANxjkf3', 'Y32ChRVh4fSx6c0PhsW', 'O09w8fVRD4XExdPRtGe', 'BqqFy3V1tU62urBwtgT'
                    Source: 0.2.datasheet.exe.4222b90.1.raw.unpack, kcpYodJG22VVeftSXm.csHigh entropy of concatenated method names: 'RY6bHlSTJK', 'uq7bdrmqU2', 'OQ8bKyvArX', 'SDTbtETmVB', 'BQ1bum44Rh', 'rBIbpNZVkl', 'idwbGjCQRy', 'SX7brXu9n5', 'lm0bQmjBv8', 'mwnbqHdN70'
                    Source: 0.2.datasheet.exe.4222b90.1.raw.unpack, WNasJt059BPgpEG464.csHigh entropy of concatenated method names: 'Dispose', 'lU523WC1OB', 'naTIoMteNu', 'y2QUM4SMtV', 'YK1281HDqr', 'VpA2z6aDZ3', 'ProcessDialogKey', 'nxhIZNQGgm', 'qkMI2BKpYi', 'NuSIIaVpQF'
                    Source: 0.2.datasheet.exe.4222b90.1.raw.unpack, Y0wfMOWLD0nGXcYgnc.csHigh entropy of concatenated method names: 'ymgySKNOoA', 'Nury83FRIy', 'ELXMZT3prM', 'S7XM2c9A1Z', 'mwwyU6CJ20', 'l8gy1Xf05e', 'x8ZyeeUYMB', 'abbyCl7IHi', 'WMAykxGk3v', 'Q9iyjjH8SF'
                    Source: 0.2.datasheet.exe.4222b90.1.raw.unpack, gjKh8NXOQL3riaKago.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'v9qI3oesNb', 'VnSI8Uhgvk', 'RvvIzV0hAd', 'T3FgZ2swS4', 'OOyg2TA0FW', 'd8CgIsJs9R', 'YWtggK0m19', 'kgFgXJAID0lDkivicJx'
                    Source: 0.2.datasheet.exe.4222b90.1.raw.unpack, ogI0HYjfFxJyDgHDxG.csHigh entropy of concatenated method names: 'ToString', 'RWB9UMWqkX', 'zpE9oWRnf5', 'ix096XRCu1', 'QBF9YoIRIH', 'dtQ9vGOe86', 'AQ597sMN5a', 'd7y9wQGTOy', 'EnV9OBHUoi', 'sSt9JEtkH3'
                    Source: 0.2.datasheet.exe.4222b90.1.raw.unpack, eVpQFj8FLqd3AcwqkQ.csHigh entropy of concatenated method names: 'olYPXXTXy0', 'TQLP5TY66V', 'BILPAEGVcv', 'BI8PbQ7kjT', 'X8aPmsq2ys', 'rmPPDrNro8', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.datasheet.exe.4222b90.1.raw.unpack, vNQGgm3ykMBKpYiiuS.csHigh entropy of concatenated method names: 'fYomsgHc4D', 'J92mo5NEaq', 'LHBm6O58Ka', 'e5NmYXiiTJ', 'T8Mmv5cwFs', 'e9km7wbShS', 'VHTmwJ1DOq', 'mTZmON3keB', 'ngMmJJcM4J', 'EGLmi3TpMM'
                    Source: 0.2.datasheet.exe.4222b90.1.raw.unpack, TohwoqIB7KTGilrBcP.csHigh entropy of concatenated method names: 'G4UK0FwBW', 'Hr9tMOSNW', 'fump0xtnt', 'l4jG1uy85', 'hgdQ2xJc8', 'oL1qPAimY', 'rlfdTro3Zl9khpmNXR', 'Ob8vePKpJ80Pv1Vp59', 'hqUMaOhpk', 'JOyPsuy8n'
                    Source: 0.2.datasheet.exe.4222b90.1.raw.unpack, M92ut0D7FdoxnVW2Co.csHigh entropy of concatenated method names: 'RBSgnRNyTM', 'h9PgEdHPJr', 'A5yg0RYcsJ', 'lVJgXpDWJn', 'fghg5r2OWm', 'kr7gAV4JvO', 'WU5gbPqHr9', 'RvbgD8FZFk', 'Ik5gVi0tiR', 'FmKgfLmYvS'
                    Source: 0.2.datasheet.exe.4222b90.1.raw.unpack, AEXrIDCleAjcdNqiDL.csHigh entropy of concatenated method names: 'XwxTiFuGri', 'tiPT1fRxXB', 'dO7TCpIw0e', 'XpyTkRHtJ5', 'zpdToOaVbH', 'kFET6lidWw', 'HwGTYcXqRo', 'y56TvZao8w', 'jlkT7yIiv2', 'X7iTwHKy7C'
                    Source: 0.2.datasheet.exe.4222b90.1.raw.unpack, NgqCesrosgMKMwD7af.csHigh entropy of concatenated method names: 'cPj0CicnF4', 'vYJ0kmtRSr', 'e3D0jlYjGl', 'HoQ0x0gPJO', 'pei0cosXgv', 'XC50WTDoEW', 'rti0NK4xHN', 'rw60S8kDxj', 'ctS03K4K7W', 'BVj08FVMLE'
                    Source: 0.2.datasheet.exe.4222b90.1.raw.unpack, bepENeNHgVU5WC1OB3.csHigh entropy of concatenated method names: 'hQymT36QQ8', 'Reumy2eGyy', 'dh2mmBw6HD', 'BDNm49uWLv', 'fxumLlocW3', 'PhCmRcmLUV', 'Dispose', 'xnIMEWEuXg', 'zsxM0FC6LM', 'bOlMXecmQK'
                    Source: 0.2.datasheet.exe.4222b90.1.raw.unpack, uyXqCTogQ1EhyxmrHv.csHigh entropy of concatenated method names: 'k0LfcaV9FdxD0lXd8BK', 'gFKKOTVFGtQsrnX7wvm', 'lSeAMj1LmU', 'RLiAmKqdtV', 'FhWAPI8QM0', 'dXN4H9V2CkRw6HXp8e0', 'WiTSTQVlbfXXZoIGXWE'
                    Source: 0.2.datasheet.exe.4222b90.1.raw.unpack, jWLMbI2aSnIGstPMXBA.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'BPvlmAwr9p', 'KLylPlD6uS', 'QCtl4IBhlR', 'vfbllmSE4K', 'F6nlLdD9cD', 'mCnlhKQnQO', 'j6vlRmSkYs'
                    Source: 0.2.datasheet.exe.4222b90.1.raw.unpack, DXgxSus4AE5Ni06XHw.csHigh entropy of concatenated method names: 'NjyAnnptvM', 'I9NA0DKHsS', 'yDCA56lwQF', 'T3tAbIslNT', 'WPlADHS63Z', 'RC65csd7t9', 'IGH5Wooi5G', 'qcX5Nl8nlS', 'NoM5SGhnLN', 'FCa53tx0kw'
                    Source: 0.2.datasheet.exe.4222b90.1.raw.unpack, fvdO05xjf566yawrsq.csHigh entropy of concatenated method names: 'Ux6yf2AP8S', 'nCKyFuPq7Z', 'ToString', 'ETNyEL0Fnm', 'E0iy0Djdts', 'G6myXxutlF', 'BFHy5kg1Hw', 'gT5yAmUP8h', 'AVLybBmqgd', 'BR1yDJ7sCp'
                    Source: 0.2.datasheet.exe.4222b90.1.raw.unpack, wjpc7T22NZ9PqdDS42F.csHigh entropy of concatenated method names: 'Y7oP8f3yqx', 'sC3Pzp76lj', 'M5O4Zhq9e6', 'JA942BVJyf', 'iPr4IInbfN', 'Aqt4gC4inn', 'LGg4atP6GG', 'asG4nFLsmJ', 'fu24ElXUCh', 'dTG40S0WQ4'
                    Source: 0.2.datasheet.exe.4222b90.1.raw.unpack, qhYtHp2Z9Bka3MkZ6E2.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'M3ZPUpiF14', 'lcEP1nik3U', 'QbmPelJnYu', 'PYkPC8Dpcx', 'u0XPkjnRLa', 'tbBPjGmWLD', 'TUPPxvkrm4'
                    Source: 0.2.datasheet.exe.4222b90.1.raw.unpack, wX714rQ3YMWgfnU27k.csHigh entropy of concatenated method names: 'lJcXt1Nugl', 'QNyXpNxTj6', 'Dp8XrPylMe', 'va5XQ5YflB', 'Q8mXT0JCFK', 'eeHX9EpD0C', 'VXbXyNCEOD', 'j94XMg1mMJ', 'vhCXmmVsp4', 'k8qXP2g9WM'
                    Source: 0.2.datasheet.exe.8070000.5.raw.unpack, hde3RbaIEn5B3Fvoah.csHigh entropy of concatenated method names: 'spi2bgqCes', 'Hsg2DMKMwD', 'D3Y2fMWgfn', 'O272FkFF8r', 'vgG2TRsrXg', 'TSu294AE5N', 'DQ9wARzKwJpxbqInae', 'DmVRHSAGMh4CbfCQn0U', 'oKq223HaD3', 'IUs2gMUE2I'
                    Source: 0.2.datasheet.exe.8070000.5.raw.unpack, FfGsTDw6Td8PUW3LpD.csHigh entropy of concatenated method names: 'R0VbEq8AtW', 'qQgbXtDE5K', 'zXtbAaZNJG', 'iM5A8gS6c9', 'sD7AzOKDwa', 'PVPbZctUnB', 'CmLb2hIK9K', 'QBIbInue99', 'R3EbgT5pCv', 'rgIbap4FJK'
                    Source: 0.2.datasheet.exe.8070000.5.raw.unpack, Iqs7MTepbjsKKQjR2O.csHigh entropy of concatenated method names: 'sDyBrcLojU', 'PT4BQFX8YX', 'KkABspX6xU', 'YqhBoauqfe', 'FGeBYuRspH', 'mppBvgWb5r', 'Tj4Bw6fQ02', 'fJKBOO7PjV', 'tPeBioV8Da', 'cqPBUGeX5B'
                    Source: 0.2.datasheet.exe.8070000.5.raw.unpack, x5KIxnzF6SaxDs16xw.csHigh entropy of concatenated method names: 'pq5Pp5MwDM', 'aVPPrXqBSv', 'yXkPQhnbdD', 'zPMPsCfXvl', 'guqPoRfoss', 'FetPYHZSP5', 'b7ZPvqUACv', 'v9nPRDKh48', 'd0EPHTBqmk', 'WKaPdfQBWK'
                    Source: 0.2.datasheet.exe.8070000.5.raw.unpack, yZiT4V74dShVkQZUws.csHigh entropy of concatenated method names: 'y0MAj8bxm8', 'zaEAxMcsMe', 'GOiAc2DGLv', 'ToString', 'XVcAWihUtQ', 'NpKANxjkf3', 'Y32ChRVh4fSx6c0PhsW', 'O09w8fVRD4XExdPRtGe', 'BqqFy3V1tU62urBwtgT'
                    Source: 0.2.datasheet.exe.8070000.5.raw.unpack, kcpYodJG22VVeftSXm.csHigh entropy of concatenated method names: 'RY6bHlSTJK', 'uq7bdrmqU2', 'OQ8bKyvArX', 'SDTbtETmVB', 'BQ1bum44Rh', 'rBIbpNZVkl', 'idwbGjCQRy', 'SX7brXu9n5', 'lm0bQmjBv8', 'mwnbqHdN70'
                    Source: 0.2.datasheet.exe.8070000.5.raw.unpack, WNasJt059BPgpEG464.csHigh entropy of concatenated method names: 'Dispose', 'lU523WC1OB', 'naTIoMteNu', 'y2QUM4SMtV', 'YK1281HDqr', 'VpA2z6aDZ3', 'ProcessDialogKey', 'nxhIZNQGgm', 'qkMI2BKpYi', 'NuSIIaVpQF'
                    Source: 0.2.datasheet.exe.8070000.5.raw.unpack, Y0wfMOWLD0nGXcYgnc.csHigh entropy of concatenated method names: 'ymgySKNOoA', 'Nury83FRIy', 'ELXMZT3prM', 'S7XM2c9A1Z', 'mwwyU6CJ20', 'l8gy1Xf05e', 'x8ZyeeUYMB', 'abbyCl7IHi', 'WMAykxGk3v', 'Q9iyjjH8SF'
                    Source: 0.2.datasheet.exe.8070000.5.raw.unpack, gjKh8NXOQL3riaKago.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'v9qI3oesNb', 'VnSI8Uhgvk', 'RvvIzV0hAd', 'T3FgZ2swS4', 'OOyg2TA0FW', 'd8CgIsJs9R', 'YWtggK0m19', 'kgFgXJAID0lDkivicJx'
                    Source: 0.2.datasheet.exe.8070000.5.raw.unpack, ogI0HYjfFxJyDgHDxG.csHigh entropy of concatenated method names: 'ToString', 'RWB9UMWqkX', 'zpE9oWRnf5', 'ix096XRCu1', 'QBF9YoIRIH', 'dtQ9vGOe86', 'AQ597sMN5a', 'd7y9wQGTOy', 'EnV9OBHUoi', 'sSt9JEtkH3'
                    Source: 0.2.datasheet.exe.8070000.5.raw.unpack, eVpQFj8FLqd3AcwqkQ.csHigh entropy of concatenated method names: 'olYPXXTXy0', 'TQLP5TY66V', 'BILPAEGVcv', 'BI8PbQ7kjT', 'X8aPmsq2ys', 'rmPPDrNro8', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.datasheet.exe.8070000.5.raw.unpack, vNQGgm3ykMBKpYiiuS.csHigh entropy of concatenated method names: 'fYomsgHc4D', 'J92mo5NEaq', 'LHBm6O58Ka', 'e5NmYXiiTJ', 'T8Mmv5cwFs', 'e9km7wbShS', 'VHTmwJ1DOq', 'mTZmON3keB', 'ngMmJJcM4J', 'EGLmi3TpMM'
                    Source: 0.2.datasheet.exe.8070000.5.raw.unpack, TohwoqIB7KTGilrBcP.csHigh entropy of concatenated method names: 'G4UK0FwBW', 'Hr9tMOSNW', 'fump0xtnt', 'l4jG1uy85', 'hgdQ2xJc8', 'oL1qPAimY', 'rlfdTro3Zl9khpmNXR', 'Ob8vePKpJ80Pv1Vp59', 'hqUMaOhpk', 'JOyPsuy8n'
                    Source: 0.2.datasheet.exe.8070000.5.raw.unpack, M92ut0D7FdoxnVW2Co.csHigh entropy of concatenated method names: 'RBSgnRNyTM', 'h9PgEdHPJr', 'A5yg0RYcsJ', 'lVJgXpDWJn', 'fghg5r2OWm', 'kr7gAV4JvO', 'WU5gbPqHr9', 'RvbgD8FZFk', 'Ik5gVi0tiR', 'FmKgfLmYvS'
                    Source: 0.2.datasheet.exe.8070000.5.raw.unpack, AEXrIDCleAjcdNqiDL.csHigh entropy of concatenated method names: 'XwxTiFuGri', 'tiPT1fRxXB', 'dO7TCpIw0e', 'XpyTkRHtJ5', 'zpdToOaVbH', 'kFET6lidWw', 'HwGTYcXqRo', 'y56TvZao8w', 'jlkT7yIiv2', 'X7iTwHKy7C'
                    Source: 0.2.datasheet.exe.8070000.5.raw.unpack, NgqCesrosgMKMwD7af.csHigh entropy of concatenated method names: 'cPj0CicnF4', 'vYJ0kmtRSr', 'e3D0jlYjGl', 'HoQ0x0gPJO', 'pei0cosXgv', 'XC50WTDoEW', 'rti0NK4xHN', 'rw60S8kDxj', 'ctS03K4K7W', 'BVj08FVMLE'
                    Source: 0.2.datasheet.exe.8070000.5.raw.unpack, bepENeNHgVU5WC1OB3.csHigh entropy of concatenated method names: 'hQymT36QQ8', 'Reumy2eGyy', 'dh2mmBw6HD', 'BDNm49uWLv', 'fxumLlocW3', 'PhCmRcmLUV', 'Dispose', 'xnIMEWEuXg', 'zsxM0FC6LM', 'bOlMXecmQK'
                    Source: 0.2.datasheet.exe.8070000.5.raw.unpack, uyXqCTogQ1EhyxmrHv.csHigh entropy of concatenated method names: 'k0LfcaV9FdxD0lXd8BK', 'gFKKOTVFGtQsrnX7wvm', 'lSeAMj1LmU', 'RLiAmKqdtV', 'FhWAPI8QM0', 'dXN4H9V2CkRw6HXp8e0', 'WiTSTQVlbfXXZoIGXWE'
                    Source: 0.2.datasheet.exe.8070000.5.raw.unpack, jWLMbI2aSnIGstPMXBA.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'BPvlmAwr9p', 'KLylPlD6uS', 'QCtl4IBhlR', 'vfbllmSE4K', 'F6nlLdD9cD', 'mCnlhKQnQO', 'j6vlRmSkYs'
                    Source: 0.2.datasheet.exe.8070000.5.raw.unpack, DXgxSus4AE5Ni06XHw.csHigh entropy of concatenated method names: 'NjyAnnptvM', 'I9NA0DKHsS', 'yDCA56lwQF', 'T3tAbIslNT', 'WPlADHS63Z', 'RC65csd7t9', 'IGH5Wooi5G', 'qcX5Nl8nlS', 'NoM5SGhnLN', 'FCa53tx0kw'
                    Source: 0.2.datasheet.exe.8070000.5.raw.unpack, fvdO05xjf566yawrsq.csHigh entropy of concatenated method names: 'Ux6yf2AP8S', 'nCKyFuPq7Z', 'ToString', 'ETNyEL0Fnm', 'E0iy0Djdts', 'G6myXxutlF', 'BFHy5kg1Hw', 'gT5yAmUP8h', 'AVLybBmqgd', 'BR1yDJ7sCp'
                    Source: 0.2.datasheet.exe.8070000.5.raw.unpack, wjpc7T22NZ9PqdDS42F.csHigh entropy of concatenated method names: 'Y7oP8f3yqx', 'sC3Pzp76lj', 'M5O4Zhq9e6', 'JA942BVJyf', 'iPr4IInbfN', 'Aqt4gC4inn', 'LGg4atP6GG', 'asG4nFLsmJ', 'fu24ElXUCh', 'dTG40S0WQ4'
                    Source: 0.2.datasheet.exe.8070000.5.raw.unpack, qhYtHp2Z9Bka3MkZ6E2.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'M3ZPUpiF14', 'lcEP1nik3U', 'QbmPelJnYu', 'PYkPC8Dpcx', 'u0XPkjnRLa', 'tbBPjGmWLD', 'TUPPxvkrm4'
                    Source: 0.2.datasheet.exe.8070000.5.raw.unpack, wX714rQ3YMWgfnU27k.csHigh entropy of concatenated method names: 'lJcXt1Nugl', 'QNyXpNxTj6', 'Dp8XrPylMe', 'va5XQ5YflB', 'Q8mXT0JCFK', 'eeHX9EpD0C', 'VXbXyNCEOD', 'j94XMg1mMJ', 'vhCXmmVsp4', 'k8qXP2g9WM'
                    Source: C:\Users\user\Desktop\datasheet.exeFile created: C:\Users\user\AppData\Roaming\rjBdvmaV.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\datasheet.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rjBdvmaV" /XML "C:\Users\user\AppData\Local\Temp\tmp43D7.tmp"

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: datasheet.exe PID: 7372, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: rjBdvmaV.exe PID: 7944, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\datasheet.exeMemory allocated: 2D40000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeMemory allocated: 2F80000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeMemory allocated: 2D40000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeMemory allocated: 8200000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeMemory allocated: 9200000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeMemory allocated: 93C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeMemory allocated: A3C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeMemory allocated: A20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeMemory allocated: 2490000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeMemory allocated: 4490000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeMemory allocated: 72C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeMemory allocated: 82C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeMemory allocated: 8470000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeMemory allocated: 9470000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5721Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6018Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2523Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1457Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 8416
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1421
                    Source: C:\Users\user\Desktop\datasheet.exe TID: 7392Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7792Thread sleep count: 5721 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7940Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7896Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7924Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7880Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exe TID: 8124Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\datasheet.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99887Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99776Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99671Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99562Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99453Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99344Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99219Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99109Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98999Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98889Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98732Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98621Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98500Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98390Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98277Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98167Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98062Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97951Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97842Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97734Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99875
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99766
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99657
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99532
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99407
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99282
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99157
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99047
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98937
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98828
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98719
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98607
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98500
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98391
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98281
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98172
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98063
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97954
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97829
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97704
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97579
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97454
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97329
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97204
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97079
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96954
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96829
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96704
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96579
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96454
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96329
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96204
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96079
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95954
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95829
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95703
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95594
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95485
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95360
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95235
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95110
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94985
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94860
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94735
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94610
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94485
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94359
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94247
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94119
                    Source: rjBdvmaV.exe, 0000000A.00000002.1505640982.0000000000870000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Y?>
                    Source: RegSvcs.exe, 0000000E.00000002.3874907924.0000000005E80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll}
                    Source: RegSvcs.exe, 00000009.00000002.1485890032.0000000005780000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\datasheet.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\datasheet.exe"
                    Source: C:\Users\user\Desktop\datasheet.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rjBdvmaV.exe"
                    Source: C:\Users\user\Desktop\datasheet.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\datasheet.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rjBdvmaV.exe"Jump to behavior
                    Allocates memory in foreign processes
                    Source: C:\Users\user\Desktop\datasheet.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\datasheet.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\datasheet.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43E000Jump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 440000Jump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 2CB008Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43E000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 440000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: AAA008Jump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\datasheet.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rjBdvmaV.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rjBdvmaV" /XML "C:\Users\user\AppData\Local\Temp\tmp43D7.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rjBdvmaV" /XML "C:\Users\user\AppData\Local\Temp\tmp5B67.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeQueries volume information: C:\Users\user\Desktop\datasheet.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeQueries volume information: C:\Users\user\AppData\Roaming\rjBdvmaV.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rjBdvmaV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\datasheet.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.datasheet.exe.4014730.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.datasheet.exe.4050f50.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.datasheet.exe.4050f50.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.datasheet.exe.4014730.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000009.00000002.1481776134.00000000022CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.1479276700.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.1481776134.00000000022A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.3862783445.0000000002BDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1449663902.0000000003F89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: datasheet.exe PID: 7372, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7824, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 332, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\FTP Navigator\Ftplist.txt
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.datasheet.exe.4014730.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.datasheet.exe.4050f50.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.datasheet.exe.4050f50.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.datasheet.exe.4014730.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000009.00000002.1479276700.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.1481776134.00000000022A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.3862783445.0000000002BDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1449663902.0000000003F89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: datasheet.exe PID: 7372, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7824, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 332, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.datasheet.exe.4014730.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.datasheet.exe.4050f50.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.datasheet.exe.4050f50.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.datasheet.exe.4014730.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000009.00000002.1481776134.00000000022CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.1479276700.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.1481776134.00000000022A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.3862783445.0000000002BDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1449663902.0000000003F89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: datasheet.exe PID: 7372, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7824, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 332, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		311
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		21
                    Input Capture                    		24
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    Scheduled Task/Job                    		3
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		211
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                    Software Packing                    		NTDS1
                    Process Discovery                    		Distributed Component Object Model21
                    Input Capture                    		2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Timestomp                    		LSA Secrets141
                    Virtualization/Sandbox Evasion                    		SSH1
                    Clipboard Data                    		23
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    DLL Side-Loading                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Masquerading                    		DCSync1
                    System Network Configuration Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job141
                    Virtualization/Sandbox Evasion                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt311
                    Process Injection                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1559975 Sample: datasheet.exe Startdate: 21/11/2024 Architecture: WINDOWS Score: 100 46 smtp.yandex.ru 2->46 48 smtp.yandex.com 2->48 50 api.ipify.org 2->50 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Antivirus / Scanner detection for submitted sample 2->60 62 9 other signatures 2->62 8 datasheet.exe 7 2->8         started        12 rjBdvmaV.exe 5 2->12         started        signatures3 process4 file5 38 C:\Users\user\AppData\Roaming\rjBdvmaV.exe, PE32 8->38 dropped 40 C:\Users\...\rjBdvmaV.exe:Zone.Identifier, ASCII 8->40 dropped 42 C:\Users\user\AppData\Local\...\tmp43D7.tmp, XML 8->42 dropped 44 C:\Users\user\AppData\...\datasheet.exe.log, ASCII 8->44 dropped 64 Uses schtasks.exe or at.exe to add and modify task schedules 8->64 66 Writes to foreign memory regions 8->66 68 Allocates memory in foreign processes 8->68 76 2 other signatures 8->76 14 RegSvcs.exe 15 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        22 schtasks.exe 1 8->22         started        70 Antivirus detection for dropped file 12->70 72 Multi AV Scanner detection for dropped file 12->72 74 Machine Learning detection for dropped file 12->74 24 RegSvcs.exe 12->24         started        26 schtasks.exe 12->26         started        signatures6 process7 dnsIp8 52 smtp.yandex.ru 77.88.21.158, 49711, 49714, 49717 YANDEXRU Russian Federation 14->52 54 api.ipify.org 104.26.13.205, 443, 49709, 49713 CLOUDFLARENETUS United States 14->54 78 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->78 80 Loading BitLocker PowerShell Module 18->80 28 conhost.exe 18->28         started        30 WmiPrvSE.exe 18->30         started        32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        82 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->82 84 Tries to steal Mail credentials (via file / registry access) 24->84 86 Tries to harvest and steal ftp login credentials 24->86 88 2 other signatures 24->88 36 conhost.exe 26->36         started        signatures9 process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    datasheet.exe53%ReversingLabsWin32.Spyware.Negasteal
                    datasheet.exe100%AviraHEUR/AGEN.1305393
                    datasheet.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\rjBdvmaV.exe100%AviraHEUR/AGEN.1305393
                    C:\Users\user\AppData\Roaming\rjBdvmaV.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\rjBdvmaV.exe53%ReversingLabsWin32.Trojan.AgentTesla

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://microsoft.co3f0%Avira URL Cloudsafe
                    http://crl.gl0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    smtp.yandex.ru
                    		77.88.21.158
                    		truefalse
                      		high
                      api.ipify.org
                      		104.26.13.205
                      		truefalse
                        		high
                        smtp.yandex.com
                        		unknown
                        		unknownfalse
                          		high

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://api.ipify.org/false
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://microsoft.co3fRegSvcs.exe, 00000009.00000002.1485890032.0000000005780000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://api.ipify.orgdatasheet.exe, 00000000.00000002.1449663902.0000000003F89000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1479276700.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1481776134.0000000002251000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000002B9C000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://account.dyn.com/datasheet.exe, 00000000.00000002.1449663902.0000000003F89000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1479276700.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                		high
                                https://api.ipify.org/tRegSvcs.exe, 00000009.00000002.1481776134.0000000002251000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://crl.glRegSvcs.exe, 0000000E.00000002.3875598842.0000000005F12000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namedatasheet.exe, 00000000.00000002.1448835097.0000000002FF5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1481776134.0000000002251000.00000004.00000800.00020000.00000000.sdmp, rjBdvmaV.exe, 0000000A.00000002.1507025767.0000000002505000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000002B9C000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://smtp.yandex.comRegSvcs.exe, 00000009.00000002.1481776134.00000000022CC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000002C6F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000002CF4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000002F29000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000003023000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000002D95000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3862783445.0000000002E8A000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      77.88.21.158
                                      		smtp.yandex.ruRussian Federation
                                      		13238YANDEXRUfalse
                                      104.26.13.205
                                      		api.ipify.orgUnited States
                                      		13335CLOUDFLARENETUSfalse

                                      General Information

                                      Joe Sandbox version:41.0.0 Charoite
                                      Analysis ID:1559975
                                      Start date and time:2024-11-21 08:58:07 +01:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 9m 39s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:19
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:datasheet.exe
                                      Detection:MAL
                                      Classification:mal100.troj.spyw.evad.winEXE@19/15@2/2
                                      EGA Information:
                                      • Successful, ratio: 100%
                                      HCA Information:
                                      • Successful, ratio: 100%
                                      • Number of executed functions: 208
                                      • Number of non-executed functions: 12
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe
                                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                                      Warnings

                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                      • Report size getting too big, too many NtCreateKey calls found.
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                                      • VT rate limit hit for: datasheet.exe

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      02:59:00API Interceptor3x Sleep call for process: datasheet.exe modified
                                      02:59:04API Interceptor39x Sleep call for process: powershell.exe modified
                                      02:59:06API Interceptor8986519x Sleep call for process: RegSvcs.exe modified
                                      02:59:07API Interceptor3x Sleep call for process: rjBdvmaV.exe modified
                                      08:59:04Task SchedulerRun new task: rjBdvmaV path: C:\Users\user\AppData\Roaming\rjBdvmaV.exe

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      77.88.21.1580zu73p2YBu.exeGet hashmaliciousChrome Password Stealer, Fox Password Stealer, Opera Password StealerBrowse
                                        BWr9qnCU8X.exeGet hashmaliciousUnknownBrowse
                                          REQUEST FOR OFFER EQUIPMENT ORDER LIST.exeGet hashmaliciousAgentTeslaBrowse
                                            DHL Delivery Invoice.com.exeGet hashmaliciousAgentTeslaBrowse
                                              Transferencias6231.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                Justificante de pago.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                  Justificante de pago.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                    TRANSFERENCIA BANCARIA.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                      xBneIooWzQjjOOg.exeGet hashmaliciousAgentTeslaBrowse
                                                        Justificante_13087.vbeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                          104.26.13.2052b7cu0KwZl.exeGet hashmaliciousUnknownBrowse
                                                          • api.ipify.org/
                                                          file.exeGet hashmaliciousUnknownBrowse
                                                          • api.ipify.org/
                                                          file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                          • api.ipify.org/
                                                          file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                          • api.ipify.org/
                                                          file.exeGet hashmaliciousRDPWrap ToolBrowse
                                                          • api.ipify.org/
                                                          Prismifyr-Install.exeGet hashmaliciousNode StealerBrowse
                                                          • api.ipify.org/
                                                          file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                          • api.ipify.org/
                                                          file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                          • api.ipify.org/
                                                          file.exeGet hashmaliciousUnknownBrowse
                                                          • api.ipify.org/
                                                          file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, Stealc, VidarBrowse
                                                          • api.ipify.org/

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          smtp.yandex.ru0zu73p2YBu.exeGet hashmaliciousChrome Password Stealer, Fox Password Stealer, Opera Password StealerBrowse
                                                          • 77.88.21.158
                                                          BWr9qnCU8X.exeGet hashmaliciousUnknownBrowse
                                                          • 77.88.21.158
                                                          REQUEST FOR OFFER EQUIPMENT ORDER LIST.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 77.88.21.158
                                                          DHL Delivery Invoice.com.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 77.88.21.158
                                                          Transferencias6231.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                          • 77.88.21.158
                                                          Justificante de pago.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                          • 77.88.21.158
                                                          Justificante de pago.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                          • 77.88.21.158
                                                          TRANSFERENCIA BANCARIA.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                          • 77.88.21.158
                                                          xBneIooWzQjjOOg.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 77.88.21.158
                                                          Justificante_13087.vbeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                          • 77.88.21.158
                                                          api.ipify.orghttps://www.canva.com/design/DAGXCpgrUrs/iMtluWgvWDmsrSdUOsij5Q/view?utm_content=DAGXCpgrUrs&utm_campaign=designshare&utm_medium=link&utm_source=editorGet hashmaliciousUnknownBrowse
                                                          • 104.26.12.205
                                                          https://pub-a652f10bc7cf485fb3baac4a6358c931.r2.dev/dreyflex.htmlGet hashmaliciousGabagoolBrowse
                                                          • 104.26.12.205
                                                          https://url.us.m.mimecastprotect.com/s/cx8GCJ6Aj8C8mZ33UVfXHy0nVz?domain=canva.comGet hashmaliciousUnknownBrowse
                                                          • 104.26.12.205
                                                          IBKB.vbsGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                          • 172.67.74.152
                                                          order and drawings_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 104.26.12.205
                                                          vessel details_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 104.26.12.205
                                                          MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 104.26.13.205
                                                          QuarantineMessage.zipGet hashmaliciousUnknownBrowse
                                                          • 172.67.74.152
                                                          https://hmjpvx0wn1.gaimensebb.shop/Get hashmaliciousEvilProxy, HTMLPhisherBrowse
                                                          • 104.26.13.205
                                                          MVV ALIADO - S-REQ-19-00064 40ft 1x20.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                          • 172.67.74.152

                                                          ASNs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          YANDEXRU0zu73p2YBu.exeGet hashmaliciousChrome Password Stealer, Fox Password Stealer, Opera Password StealerBrowse
                                                          • 77.88.21.158
                                                          BWr9qnCU8X.exeGet hashmaliciousUnknownBrowse
                                                          • 77.88.21.158
                                                          Unit 2_week 4 2024.pptxGet hashmaliciousHTMLPhisherBrowse
                                                          • 77.88.21.90
                                                          REQUEST FOR OFFER EQUIPMENT ORDER LIST.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 77.88.21.158
                                                          https://vivantskincare.taplink.wsGet hashmaliciousHTMLPhisherBrowse
                                                          • 93.158.134.119
                                                          DHL Delivery Invoice.com.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 77.88.21.158
                                                          https://sites.google.com/view/we2k-/homeGet hashmaliciousUnknownBrowse
                                                          • 87.250.250.119
                                                          Cursor Commander.exeGet hashmaliciousUnknownBrowse
                                                          • 213.180.204.90
                                                          SecuriteInfo.com.Win32.Application.Agent.NSIF6L.17895.28880.exeGet hashmaliciousUnknownBrowse
                                                          • 213.180.193.14
                                                          SecuriteInfo.com.Win32.Application.Agent.NSIF6L.17895.28880.exeGet hashmaliciousUnknownBrowse
                                                          • 213.180.204.196
                                                          CLOUDFLARENETUSORDER 20240986 OA.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                          • 188.114.96.3
                                                          file.exeGet hashmaliciousLummaCBrowse
                                                          • 188.114.96.3
                                                          Secured Audlo_secpod.com_1524702658.htmlGet hashmaliciousUnknownBrowse
                                                          • 104.17.25.14
                                                          file.exeGet hashmaliciousLummaCBrowse
                                                          • 188.114.96.3
                                                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                          • 188.114.97.3
                                                          https://texasbarcle.com/CLE/AAGateway.asp?lRefID=19203&sURL=https://famezik.com/#Zi5waWNhc3NvJG1hcmxhdGFua2Vycy5ncg==Get hashmaliciousUnknownBrowse
                                                          • 1.1.1.1
                                                          ArchivoNuevo.msiGet hashmaliciousUnknownBrowse
                                                          • 162.159.140.238
                                                          file.exeGet hashmaliciousLummaCBrowse
                                                          • 188.114.97.3
                                                          ibk0BQaWAo.exeGet hashmaliciousUnknownBrowse
                                                          • 188.114.97.6
                                                          ibk0BQaWAo.exeGet hashmaliciousUnknownBrowse
                                                          • 188.114.97.6

                                                          JA3 Fingerprints

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          3b5074b1b5d032e5620f69f9f700ff0eORDER 20240986 OA.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                          • 104.26.13.205
                                                          PO#8329837372938383839238PDF.exeGet hashmaliciousXWormBrowse
                                                          • 104.26.13.205
                                                          file.exeGet hashmaliciousLummaCBrowse
                                                          • 104.26.13.205
                                                          https://ollama.com/Get hashmaliciousUnknownBrowse
                                                          • 104.26.13.205
                                                          z1Tender_procurement_product_order__21_11_2024_.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                          • 104.26.13.205
                                                          ArchivoNuevo.msiGet hashmaliciousUnknownBrowse
                                                          • 104.26.13.205
                                                          file.exeGet hashmaliciousLummaCBrowse
                                                          • 104.26.13.205
                                                          file.exeGet hashmaliciousUnknownBrowse
                                                          • 104.26.13.205
                                                          https://tally.so/widgets/embed.jsGet hashmaliciousUnknownBrowse
                                                          • 104.26.13.205
                                                          Lreticupdwy.exeGet hashmaliciousUnknownBrowse
                                                          • 104.26.13.205

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\datasheet.exe.log

                                                          Download File
                                                          Process:C:\Users\user\Desktop\datasheet.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1216
                                                          Entropy (8bit):5.34331486778365
                                                          Encrypted:false
                                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                          Malicious:true
                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rjBdvmaV.exe.log

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\rjBdvmaV.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1216
                                                          Entropy (8bit):5.34331486778365
                                                          Encrypted:false
                                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                          Malicious:false
                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2232
                                                          Entropy (8bit):5.379460230152629
                                                          Encrypted:false
                                                          SSDEEP:48:fWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugeC/ZPUyus:fLHyIFKL3IZ2KRH9Oug8s
                                                          MD5:4DC84D28CF28EAE82806A5390E5721C8
                                                          SHA1:66B6385EB104A782AD3737F2C302DEC0231ADEA2
                                                          SHA-256:1B89BFB0F44C267035B5BC9B2A8692FF29440C0FEE71C636B377751DAF6911C0
                                                          SHA-512:E8F45669D27975B41401419B8438E8F6219AF4D864C46B8E19DC5ECD50BD6CA589BDEEE600A73DDB27F8A8B4FF7318000641B6A59E0A5CDD7BE0C82D969A68DE
                                                          Malicious:false
                                                          Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0odxasgc.us5.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bvisiq4t.l2b.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dznmcvfj.0vw.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h3px5hxy.gii.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jjauzphc.mdy.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tyhg0xp4.m2z.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vsfqmzec.tjr.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x1yz35e1.3vz.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\tmp43D7.tmp

                                                          Download File
                                                          Process:C:\Users\user\Desktop\datasheet.exe
                                                          File Type:XML 1.0 document, ASCII text
                                                          Category:dropped
                                                          Size (bytes):1581
                                                          Entropy (8bit):5.110306803875832
                                                          Encrypted:false
                                                          SSDEEP:24:2di4+S2qhtJ12iy1mcrUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtTVxvn:cgeLAYrFdOFzOzN33ODOiDdKrsuTXv
                                                          MD5:DC1753341552FA545C46C5E76A3A3A13
                                                          SHA1:F001E9CFC9BCF3B9AF06CF70BF7169A1FBBDF798
                                                          SHA-256:77CA2F17E5CD3F1EFDE10004BC5E6AD165557A3AF83B12FD34B8EC6118A60ED9
                                                          SHA-512:47AA26E4B75AB5B7E4665A0CE43ECD4F6DEF5F8DB62F6CF8E58B3B196A4DFB6B20682BB6BBB4A93CF0552B6EF378E967A1CD2382A9BC9A84B7E1FBC61834A92B
                                                          Malicious:true
                                                          Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                                                          C:\Users\user\AppData\Local\Temp\tmp5B67.tmp

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\rjBdvmaV.exe
                                                          File Type:XML 1.0 document, ASCII text
                                                          Category:dropped
                                                          Size (bytes):1581
                                                          Entropy (8bit):5.110306803875832
                                                          Encrypted:false
                                                          SSDEEP:24:2di4+S2qhtJ12iy1mcrUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtTVxvn:cgeLAYrFdOFzOzN33ODOiDdKrsuTXv
                                                          MD5:DC1753341552FA545C46C5E76A3A3A13
                                                          SHA1:F001E9CFC9BCF3B9AF06CF70BF7169A1FBBDF798
                                                          SHA-256:77CA2F17E5CD3F1EFDE10004BC5E6AD165557A3AF83B12FD34B8EC6118A60ED9
                                                          SHA-512:47AA26E4B75AB5B7E4665A0CE43ECD4F6DEF5F8DB62F6CF8E58B3B196A4DFB6B20682BB6BBB4A93CF0552B6EF378E967A1CD2382A9BC9A84B7E1FBC61834A92B
                                                          Malicious:false
                                                          Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                                                          C:\Users\user\AppData\Roaming\rjBdvmaV.exe

                                                          Download File
                                                          Process:C:\Users\user\Desktop\datasheet.exe
                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):654336
                                                          Entropy (8bit):7.9722478723509145
                                                          Encrypted:false
                                                          SSDEEP:12288:O7AgFdeiGKC0uCejzi9UhkL8WYCUeBhQi5UX9aLmmf5jq5XX2sMMnQ4HwXYJ:KAgeizWCeW94WYCnCEmi25H2OQ4QI
                                                          MD5:27270BF6A969355E90E16289379CD6D1
                                                          SHA1:913F562DF18CF266C3AE94605CCE6C3CE084D472
                                                          SHA-256:7292590B86E83CA5C6993B8C56578740D1F066C91BAF3D95BEE2BD34D9153F15
                                                          SHA-512:814BEC3009C19A298737385B783654110230CF902DA1EBF18E2AD697901C884F8CF3F635979659CEEDFA17AA5B79AA1B0860316BAA2499B589D1586673730780
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          • Antivirus: ReversingLabs, Detection: 53%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iS~...............0.............b.... ... ....@.. .......................`............@.....................................O.... ..4....................@..........p............................................ ............... ..H............text...h.... ...................... ..`.rsrc...4.... ......................@..@.reloc.......@......................@..B................D.......H.......p>...E..........x...Xr...........................................0..N........s....}.....s....}.....s....}.....r...p}.....r...p}......}.....(.......(.....*...0..6..............,..{....r!..po.....+.......,..{....rY..po.....*...0............{....r{..po......{.....o.....r...ps...........(....(.....+3..o........4...%..,.o.....s..........{......o.......o ..........-.....,..o!........+...*.........*.X.........*..0..n........s"......o#....+B..($........do%......F.........,...

                                                          C:\Users\user\AppData\Roaming\rjBdvmaV.exe:Zone.Identifier

                                                          Download File
                                                          Process:C:\Users\user\Desktop\datasheet.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):26
                                                          Entropy (8bit):3.95006375643621
                                                          Encrypted:false
                                                          SSDEEP:3:ggPYV:rPYV
                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                          Malicious:true
                                                          Preview:[ZoneTransfer]....ZoneId=0

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Entropy (8bit):7.9722478723509145
                                                          TrID:
                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                          • DOS Executable Generic (2002/1) 0.01%
                                                          File name:datasheet.exe
                                                          File size:654'336 bytes
                                                          MD5:27270bf6a969355e90e16289379cd6d1
                                                          SHA1:913f562df18cf266c3ae94605cce6c3ce084d472
                                                          SHA256:7292590b86e83ca5c6993b8c56578740d1f066c91baf3d95bee2bd34d9153f15
                                                          SHA512:814bec3009c19a298737385b783654110230cf902da1ebf18e2ad697901c884f8cf3f635979659ceedfa17aa5b79aa1b0860316baa2499b589d1586673730780
                                                          SSDEEP:12288:O7AgFdeiGKC0uCejzi9UhkL8WYCUeBhQi5UX9aLmmf5jq5XX2sMMnQ4HwXYJ:KAgeizWCeW94WYCnCEmi25H2OQ4QI
                                                          TLSH:5DD423225750AA66D4FB237AE010A98C47F073A03123D149EF80F99D7F2F79A7644DA7
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iS~...............0.............b.... ... ....@.. .......................`............@................................

                                                          File Icon

                                                          Icon Hash:00928e8e8686b000

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x4a0e62
                                                          Entrypoint Section:.text
                                                          Digitally signed:false
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                          Time Stamp:0xBE7E5369 [Sat Apr 11 03:52:09 2071 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:
                                                          OS Version Major:4
                                                          OS Version Minor:0
                                                          File Version Major:4
                                                          File Version Minor:0
                                                          Subsystem Version Major:4
                                                          Subsystem Version Minor:0
                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                          Entrypoint Preview

                                                          Instruction
                                                          jmp dword ptr [00402000h]
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xa0e100x4f.text
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xa20000x634.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xa40000xc.reloc
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x9f5d00x70.text
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x20000x9ee680x9f00000f56f456ebd4b6e57348443c34702bfFalse0.9785616892688679data7.978892669414508IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                          .rsrc0xa20000x6340x800faca9faa53509ac90901e208cd3ecbe8False0.3388671875data3.4720982230349904IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .reloc0xa40000xc0x200bd0f425cbd4cef947c3c1a1b04cac7a8False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                          RT_VERSION0xa20900x3a4data0.41952789699570814
                                                          RT_MANIFEST0xa24440x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                          Imports

                                                          DLLImport
                                                          mscoree.dll_CorExeMain

                                                          Network Behavior

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Nov 21, 2024 08:59:05.667613029 CET49709443192.168.2.8104.26.13.205
                                                          Nov 21, 2024 08:59:05.667664051 CET44349709104.26.13.205192.168.2.8
                                                          Nov 21, 2024 08:59:05.667768955 CET49709443192.168.2.8104.26.13.205
                                                          Nov 21, 2024 08:59:05.678469896 CET49709443192.168.2.8104.26.13.205
                                                          Nov 21, 2024 08:59:05.678483963 CET44349709104.26.13.205192.168.2.8
                                                          Nov 21, 2024 08:59:06.899382114 CET44349709104.26.13.205192.168.2.8
                                                          Nov 21, 2024 08:59:06.899472952 CET49709443192.168.2.8104.26.13.205
                                                          Nov 21, 2024 08:59:06.902887106 CET49709443192.168.2.8104.26.13.205
                                                          Nov 21, 2024 08:59:06.902894020 CET44349709104.26.13.205192.168.2.8
                                                          Nov 21, 2024 08:59:06.903311014 CET44349709104.26.13.205192.168.2.8
                                                          Nov 21, 2024 08:59:07.009347916 CET49709443192.168.2.8104.26.13.205
                                                          Nov 21, 2024 08:59:07.051341057 CET44349709104.26.13.205192.168.2.8
                                                          Nov 21, 2024 08:59:07.336981058 CET44349709104.26.13.205192.168.2.8
                                                          Nov 21, 2024 08:59:07.337045908 CET44349709104.26.13.205192.168.2.8
                                                          Nov 21, 2024 08:59:07.337400913 CET49709443192.168.2.8104.26.13.205
                                                          Nov 21, 2024 08:59:07.343214989 CET49709443192.168.2.8104.26.13.205
                                                          Nov 21, 2024 08:59:08.261672974 CET49711587192.168.2.877.88.21.158
                                                          Nov 21, 2024 08:59:08.381396055 CET5874971177.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:08.381609917 CET49711587192.168.2.877.88.21.158
                                                          Nov 21, 2024 08:59:09.775053024 CET5874971177.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:09.793895960 CET49711587192.168.2.877.88.21.158
                                                          Nov 21, 2024 08:59:09.913316965 CET5874971177.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:10.241309881 CET5874971177.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:10.241708994 CET49711587192.168.2.877.88.21.158
                                                          Nov 21, 2024 08:59:10.361258984 CET5874971177.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:10.620533943 CET49713443192.168.2.8104.26.13.205
                                                          Nov 21, 2024 08:59:10.620575905 CET44349713104.26.13.205192.168.2.8
                                                          Nov 21, 2024 08:59:10.620959044 CET49713443192.168.2.8104.26.13.205
                                                          Nov 21, 2024 08:59:10.631270885 CET49713443192.168.2.8104.26.13.205
                                                          Nov 21, 2024 08:59:10.631289959 CET44349713104.26.13.205192.168.2.8
                                                          Nov 21, 2024 08:59:10.689356089 CET5874971177.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:10.822045088 CET49711587192.168.2.877.88.21.158
                                                          Nov 21, 2024 08:59:11.069962025 CET49711587192.168.2.877.88.21.158
                                                          Nov 21, 2024 08:59:11.973244905 CET44349713104.26.13.205192.168.2.8
                                                          Nov 21, 2024 08:59:11.973409891 CET49713443192.168.2.8104.26.13.205
                                                          Nov 21, 2024 08:59:11.976116896 CET49713443192.168.2.8104.26.13.205
                                                          Nov 21, 2024 08:59:11.976128101 CET44349713104.26.13.205192.168.2.8
                                                          Nov 21, 2024 08:59:11.976373911 CET44349713104.26.13.205192.168.2.8
                                                          Nov 21, 2024 08:59:12.025175095 CET49713443192.168.2.8104.26.13.205
                                                          Nov 21, 2024 08:59:12.311099052 CET49713443192.168.2.8104.26.13.205
                                                          Nov 21, 2024 08:59:12.355328083 CET44349713104.26.13.205192.168.2.8
                                                          Nov 21, 2024 08:59:12.671076059 CET44349713104.26.13.205192.168.2.8
                                                          Nov 21, 2024 08:59:12.671165943 CET44349713104.26.13.205192.168.2.8
                                                          Nov 21, 2024 08:59:12.671286106 CET49713443192.168.2.8104.26.13.205
                                                          Nov 21, 2024 08:59:12.681301117 CET49713443192.168.2.8104.26.13.205
                                                          Nov 21, 2024 08:59:13.520725965 CET49714587192.168.2.877.88.21.158
                                                          Nov 21, 2024 08:59:13.640239954 CET5874971477.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:13.640342951 CET49714587192.168.2.877.88.21.158
                                                          Nov 21, 2024 08:59:14.924953938 CET5874971477.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:14.925234079 CET49714587192.168.2.877.88.21.158
                                                          Nov 21, 2024 08:59:15.044800043 CET5874971477.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:15.368109941 CET5874971477.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:15.368321896 CET49714587192.168.2.877.88.21.158
                                                          Nov 21, 2024 08:59:15.487870932 CET5874971477.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:15.810998917 CET5874971477.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:15.811949015 CET49714587192.168.2.877.88.21.158
                                                          Nov 21, 2024 08:59:15.931751013 CET5874971477.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:16.256923914 CET5874971477.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:16.256988049 CET5874971477.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:16.257028103 CET5874971477.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:16.257051945 CET49714587192.168.2.877.88.21.158
                                                          Nov 21, 2024 08:59:16.257065058 CET5874971477.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:16.257110119 CET49714587192.168.2.877.88.21.158
                                                          Nov 21, 2024 08:59:16.261750937 CET49714587192.168.2.877.88.21.158
                                                          Nov 21, 2024 08:59:16.381724119 CET5874971477.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:16.705743074 CET5874971477.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:16.712454081 CET49714587192.168.2.877.88.21.158
                                                          Nov 21, 2024 08:59:16.833684921 CET5874971477.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:17.155409098 CET5874971477.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:17.156760931 CET49714587192.168.2.877.88.21.158
                                                          Nov 21, 2024 08:59:17.276232958 CET5874971477.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:17.599463940 CET5874971477.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:17.600783110 CET49714587192.168.2.877.88.21.158
                                                          Nov 21, 2024 08:59:17.720469952 CET5874971477.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:18.072820902 CET5874971477.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:18.073132992 CET49714587192.168.2.877.88.21.158
                                                          Nov 21, 2024 08:59:18.192831993 CET5874971477.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:18.532887936 CET5874971477.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:18.533121109 CET49714587192.168.2.877.88.21.158
                                                          Nov 21, 2024 08:59:18.652728081 CET5874971477.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:19.087030888 CET5874971477.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:19.087510109 CET49714587192.168.2.877.88.21.158
                                                          Nov 21, 2024 08:59:19.207041979 CET5874971477.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:19.530147076 CET5874971477.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:19.572057009 CET49714587192.168.2.877.88.21.158
                                                          Nov 21, 2024 08:59:19.627038002 CET49714587192.168.2.877.88.21.158
                                                          Nov 21, 2024 08:59:19.627126932 CET49714587192.168.2.877.88.21.158
                                                          Nov 21, 2024 08:59:19.627254009 CET49714587192.168.2.877.88.21.158
                                                          Nov 21, 2024 08:59:19.630104065 CET49714587192.168.2.877.88.21.158
                                                          Nov 21, 2024 08:59:19.746613026 CET5874971477.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:19.746644974 CET5874971477.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:19.746680021 CET5874971477.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:19.749650955 CET5874971477.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:21.151637077 CET5874971477.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:21.192219019 CET49714587192.168.2.877.88.21.158
                                                          Nov 21, 2024 08:59:21.246851921 CET49714587192.168.2.877.88.21.158
                                                          Nov 21, 2024 08:59:21.366535902 CET5874971477.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:21.689826012 CET5874971477.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:21.689868927 CET5874971477.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:21.690020084 CET49714587192.168.2.877.88.21.158
                                                          Nov 21, 2024 08:59:21.690335035 CET49714587192.168.2.877.88.21.158
                                                          Nov 21, 2024 08:59:21.691740036 CET49717587192.168.2.877.88.21.158
                                                          Nov 21, 2024 08:59:21.809794903 CET5874971477.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:21.811744928 CET5874971777.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:21.811834097 CET49717587192.168.2.877.88.21.158
                                                          Nov 21, 2024 08:59:23.162616968 CET5874971777.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:23.162806988 CET49717587192.168.2.877.88.21.158
                                                          Nov 21, 2024 08:59:23.282361984 CET5874971777.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:23.616193056 CET5874971777.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:23.616436005 CET49717587192.168.2.877.88.21.158
                                                          Nov 21, 2024 08:59:23.736040115 CET5874971777.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:24.069895983 CET5874971777.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:24.070389986 CET49717587192.168.2.877.88.21.158
                                                          Nov 21, 2024 08:59:24.190335035 CET5874971777.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:24.525185108 CET5874971777.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:24.525255919 CET5874971777.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:24.525293112 CET5874971777.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:24.525329113 CET5874971777.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:24.525373936 CET49717587192.168.2.877.88.21.158
                                                          Nov 21, 2024 08:59:24.525423050 CET49717587192.168.2.877.88.21.158
                                                          Nov 21, 2024 08:59:24.527482986 CET49717587192.168.2.877.88.21.158
                                                          Nov 21, 2024 08:59:24.647150993 CET5874971777.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:24.980997086 CET5874971777.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:24.993005991 CET49717587192.168.2.877.88.21.158
                                                          Nov 21, 2024 08:59:25.112555027 CET5874971777.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:25.446301937 CET5874971777.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:25.446717978 CET49717587192.168.2.877.88.21.158
                                                          Nov 21, 2024 08:59:25.566376925 CET5874971777.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:25.900193930 CET5874971777.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:25.900566101 CET49717587192.168.2.877.88.21.158
                                                          Nov 21, 2024 08:59:26.020045042 CET5874971777.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:26.368530989 CET5874971777.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:26.368768930 CET49717587192.168.2.877.88.21.158
                                                          Nov 21, 2024 08:59:26.488383055 CET5874971777.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:26.861713886 CET5874971777.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:26.862005949 CET49717587192.168.2.877.88.21.158
                                                          Nov 21, 2024 08:59:26.983082056 CET5874971777.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:27.404994011 CET5874971777.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:27.412127972 CET49717587192.168.2.877.88.21.158
                                                          Nov 21, 2024 08:59:27.531594992 CET5874971777.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:27.865395069 CET5874971777.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:27.885066032 CET49717587192.168.2.877.88.21.158
                                                          Nov 21, 2024 08:59:27.885137081 CET49717587192.168.2.877.88.21.158
                                                          Nov 21, 2024 08:59:27.885175943 CET49717587192.168.2.877.88.21.158
                                                          Nov 21, 2024 08:59:27.885217905 CET49717587192.168.2.877.88.21.158
                                                          Nov 21, 2024 08:59:27.885265112 CET49717587192.168.2.877.88.21.158
                                                          Nov 21, 2024 08:59:27.885320902 CET49717587192.168.2.877.88.21.158
                                                          Nov 21, 2024 08:59:27.885369062 CET49717587192.168.2.877.88.21.158
                                                          Nov 21, 2024 08:59:27.885391951 CET49717587192.168.2.877.88.21.158
                                                          Nov 21, 2024 08:59:27.885421038 CET49717587192.168.2.877.88.21.158
                                                          Nov 21, 2024 08:59:27.885445118 CET49717587192.168.2.877.88.21.158
                                                          Nov 21, 2024 08:59:28.004806995 CET5874971777.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:28.004852057 CET5874971777.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:28.004976034 CET5874971777.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:28.005004883 CET5874971777.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:28.005089998 CET5874971777.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:28.005119085 CET5874971777.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:28.005146027 CET5874971777.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:28.005196095 CET5874971777.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:28.005223036 CET5874971777.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:28.005249977 CET5874971777.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:28.696536064 CET5874971777.88.21.158192.168.2.8
                                                          Nov 21, 2024 08:59:28.746442080 CET49717587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:00:43.696809053 CET5874971777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:00:43.696891069 CET49717587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:00:53.541464090 CET49717587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:00:53.542107105 CET49717587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:00:53.661019087 CET5874971777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:00:53.661524057 CET5874971777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:00:57.621377945 CET49719587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:00:57.741225004 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:00:57.741384983 CET49719587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:00:59.765435934 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:00:59.765605927 CET49719587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:00:59.885186911 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:00.228880882 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:00.229068995 CET49719587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:00.348499060 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:00.692471027 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:00.699132919 CET49719587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:00.818994999 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:01.165043116 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:01.165081024 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:01.165091991 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:01.165106058 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:01.168024063 CET49719587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:01.190280914 CET49719587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:01.309969902 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:01.653757095 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:01.667866945 CET49719587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:01.787503004 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:02.140332937 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:02.140646935 CET49719587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:02.260164976 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:02.603693962 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:02.604228973 CET49719587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:02.725436926 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:03.097392082 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:03.098788977 CET49719587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:03.218413115 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:03.569055080 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:03.584867954 CET49719587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:03.704396009 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:04.141217947 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:04.148952007 CET49719587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:04.268579960 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:04.612443924 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:04.615829945 CET49719587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:04.615885973 CET49719587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:04.615911007 CET49719587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:04.615974903 CET49719587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:04.617408037 CET49719587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:04.735615969 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:04.735630035 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:04.735642910 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:04.735651970 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:04.735697031 CET49719587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:04.735740900 CET49719587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:04.736974955 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:04.737009048 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:04.737041950 CET49719587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:04.737111092 CET49719587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:04.737185001 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:04.737194061 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:04.737230062 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:04.737238884 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:04.737246990 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:04.737260103 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:04.737289906 CET49719587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:04.737313986 CET49719587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:04.737350941 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:04.737351894 CET49719587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:04.737543106 CET49719587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:04.855243921 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:04.855293036 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:04.855351925 CET49719587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:04.856678009 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:04.856725931 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:04.856771946 CET49719587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:04.856801987 CET49719587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:04.857048035 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:04.857110977 CET49719587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:04.857131004 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:04.857314110 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:04.857350111 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:04.857398033 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:04.857404947 CET49719587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:04.857434034 CET49719587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:04.857450962 CET49719587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:04.857486010 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:04.857554913 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:04.857575893 CET49719587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:04.857614994 CET49719587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:04.898376942 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:04.898468971 CET49719587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:04.975022078 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:04.975135088 CET49719587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:04.975169897 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:04.976309061 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:04.976393938 CET49719587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:04.976450920 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:04.976461887 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:04.976545095 CET49719587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:04.976728916 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:04.976859093 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:04.977032900 CET49719587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:04.977107048 CET49719587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:04.977119923 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:04.977173090 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:04.977247953 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:04.977440119 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:04.977514029 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:04.977524042 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:04.977638960 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:04.977667093 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:04.977715969 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:04.977788925 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:04.977861881 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:04.977873087 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:04.977952957 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:04.977962971 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:04.978041887 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:04.978050947 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:04.978147984 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:04.978161097 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:04.978225946 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:05.018016100 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:05.018213034 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:05.095093012 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:05.095143080 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:05.095154047 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:05.095168114 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:05.095912933 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:05.096050978 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:05.096091032 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:05.096199989 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:05.096260071 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:05.096271038 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:05.096304893 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:05.096319914 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:05.096333981 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:05.096405983 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:05.096417904 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:05.096451044 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:05.096545935 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:05.096579075 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:10.842943907 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:10.966538906 CET49719587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:25.557354927 CET49719587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:25.677005053 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:26.024566889 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:26.024640083 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:26.024697065 CET49719587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:26.025105953 CET49719587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:26.026653051 CET49720587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:26.144459963 CET5874971977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:26.146087885 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:26.146178007 CET49720587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:27.731267929 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:27.731430054 CET49720587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:27.851008892 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:28.168982029 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:28.170788050 CET49720587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:28.290385008 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:28.608447075 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:28.609600067 CET49720587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:28.729096889 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:29.049240112 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:29.049257040 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:29.049267054 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:29.049372911 CET49720587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:29.049393892 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:29.050693035 CET49720587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:29.052351952 CET49720587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:29.171762943 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:29.489849091 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:29.492413998 CET49720587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:29.611912966 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:29.930037022 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:29.930294991 CET49720587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:30.049935102 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:30.367460012 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:30.376089096 CET49720587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:30.495685101 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:30.837574959 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:30.838335037 CET49720587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:30.957978964 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:31.311799049 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:31.312161922 CET49720587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:31.431720018 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:31.855228901 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:31.855469942 CET49720587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:31.974893093 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.292831898 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.293230057 CET49720587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:32.293271065 CET49720587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:32.293319941 CET49720587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:32.293431044 CET49720587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:32.295011997 CET49720587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:32.412708044 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.412766933 CET49720587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:32.412837982 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.412861109 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.414347887 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.414393902 CET49720587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:32.414730072 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.414740086 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.414779902 CET49720587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:32.414803982 CET49720587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:32.414835930 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.414880037 CET49720587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:32.415008068 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.415035963 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.415045977 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.415054083 CET49720587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:32.415074110 CET49720587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:32.415112019 CET49720587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:32.415169001 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.415178061 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.415216923 CET49720587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:32.415270090 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.415309906 CET49720587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:32.532336950 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.532409906 CET49720587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:32.533901930 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.533957958 CET49720587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:32.534414053 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.534459114 CET49720587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:32.534529924 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.534586906 CET49720587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:32.534645081 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.534688950 CET49720587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:32.534709930 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.534759998 CET49720587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:32.534784079 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.534828901 CET49720587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:32.534941912 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.534951925 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.534991980 CET49720587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:32.535005093 CET49720587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:32.535006046 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.535051107 CET49720587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:32.535132885 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.535181999 CET49720587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:32.578416109 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.578531027 CET49720587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:32.652142048 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.652256966 CET49720587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:32.653728008 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.653795958 CET49720587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:32.654136896 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.654237032 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.654360056 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.654402971 CET49720587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:32.654426098 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.654524088 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.654639006 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.654704094 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.654817104 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.654920101 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.654947042 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.655071974 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.655175924 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.655190945 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.655201912 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.655368090 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.655378103 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.655411959 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.655453920 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.655533075 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.655574083 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.655613899 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.655687094 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.655832052 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.655842066 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.698478937 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.698496103 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.771878958 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.771914959 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.771924019 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.771967888 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.773335934 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.773345947 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.773413897 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.773423910 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.774002075 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.774013042 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.774076939 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.774085999 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.774132967 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.774187088 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.774265051 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:32.774288893 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:33.573503971 CET49720587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:33.658792019 CET49721587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:33.693363905 CET5874972077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:33.693458080 CET49720587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:33.778275967 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:33.778362989 CET49721587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:35.180351973 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:35.180589914 CET49721587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:35.300312042 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:35.630357027 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:35.630691051 CET49721587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:35.750199080 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:36.080534935 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:36.125880003 CET49721587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:36.245501041 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:36.576613903 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:36.576632023 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:36.576643944 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:36.576710939 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:36.576720953 CET49721587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:36.576762915 CET49721587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:36.578728914 CET49721587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:36.698128939 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:37.028213978 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:37.030877113 CET49721587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:37.150572062 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:37.480204105 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:37.481597900 CET49721587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:37.601174116 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:37.931122065 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:37.931519032 CET49721587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:38.051034927 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:38.415843964 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:38.416538954 CET49721587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:38.536086082 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:38.877203941 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:38.878563881 CET49721587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:38.998095989 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:39.338079929 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:39.338562965 CET49721587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:39.458159924 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:39.788011074 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:39.789314985 CET49721587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:39.789588928 CET49721587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:39.789633989 CET49721587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:39.789824963 CET49721587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:39.792550087 CET49721587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:39.909032106 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:39.909110069 CET49721587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:39.909229994 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:39.909293890 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:39.909332037 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:39.909392118 CET49721587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:39.912250996 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:39.912277937 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:39.912319899 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:39.912364960 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:39.912400007 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:39.912482977 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:39.912492037 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:39.912621975 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:39.912631989 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:39.962958097 CET49721587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:40.029439926 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:40.029504061 CET49721587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:40.029679060 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:40.029728889 CET49721587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:40.082775116 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:40.082792997 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:40.082911968 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:40.082926989 CET49721587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:40.082968950 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:40.083019018 CET49721587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:40.083055973 CET49721587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:40.083101034 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:40.083159924 CET49721587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:40.083237886 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:40.083277941 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:40.083292961 CET49721587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:40.083324909 CET49721587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:40.083406925 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:40.083455086 CET49721587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:40.083525896 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:40.083587885 CET49721587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:40.150398016 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:40.150510073 CET49721587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:40.150536060 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:40.150594950 CET49721587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:40.202714920 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:40.202748060 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:40.202804089 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:40.202805042 CET49721587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:40.202862024 CET49721587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:40.202909946 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:40.203005075 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:40.203046083 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:40.203161955 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:40.203174114 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:40.203260899 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:40.203270912 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:40.203320980 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:40.203351974 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:40.203423977 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:40.203465939 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:40.203510046 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:40.203520060 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:40.203605890 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:40.203615904 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:40.203675032 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:40.203685045 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:40.203783989 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:40.203794956 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:40.203804016 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:40.203886986 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:40.203896999 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:40.203907013 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:40.270113945 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:40.270137072 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:40.270225048 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:40.270277977 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:40.270369053 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:40.270381927 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:40.270416975 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:40.270458937 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:40.322580099 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:40.322592974 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:40.322608948 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:40.322619915 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:40.322690010 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:40.322700024 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:40.322711945 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:40.322721958 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:41.072449923 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:41.276715040 CET49721587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:43.436872005 CET49721587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:43.556449890 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:43.886761904 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:43.886857033 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:43.886909962 CET49721587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:43.887706041 CET49721587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:43.897208929 CET49722587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:44.007143021 CET5874972177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:44.016863108 CET5874972277.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:44.017013073 CET49722587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:45.297375917 CET5874972277.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:45.302762032 CET49722587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:45.422270060 CET5874972277.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:45.744306087 CET5874972277.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:45.744509935 CET49722587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:45.864087105 CET5874972277.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:46.166426897 CET49722587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:46.189580917 CET5874972277.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:46.189649105 CET49722587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:46.264292955 CET49723587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:46.286351919 CET5874972277.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:46.286417007 CET49722587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:46.383933067 CET5874972377.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:46.384027004 CET49723587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:47.704070091 CET5874972377.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:47.718101978 CET49723587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:47.837771893 CET5874972377.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:48.172209978 CET5874972377.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:48.172369957 CET49723587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:48.291935921 CET5874972377.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:48.626774073 CET5874972377.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:48.629384041 CET49723587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:48.750999928 CET5874972377.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:48.926461935 CET49723587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:48.974584103 CET49724587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:49.046399117 CET5874972377.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:49.051273108 CET49723587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:49.094434023 CET5874972477.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:49.094557047 CET49724587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:50.551084995 CET5874972477.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:50.603513002 CET49724587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:50.642216921 CET49724587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:50.761929989 CET5874972477.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:51.091264963 CET5874972477.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:51.091885090 CET49724587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:51.211683035 CET5874972477.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:51.541202068 CET5874972477.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:51.542157888 CET49724587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:51.661775112 CET5874972477.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:51.992762089 CET5874972477.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:51.992824078 CET5874972477.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:51.992860079 CET5874972477.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:51.992894888 CET5874972477.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:51.992929935 CET49724587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:51.992969036 CET49724587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:51.996175051 CET49724587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:52.115716934 CET5874972477.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:52.445221901 CET5874972477.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:52.449167967 CET49724587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:52.568706036 CET5874972477.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:52.898456097 CET5874972477.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:52.898766041 CET49724587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:53.018327951 CET5874972477.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:53.347790003 CET5874972477.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:53.349526882 CET49724587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:53.469166040 CET5874972477.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:53.810251951 CET5874972477.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:53.814572096 CET49724587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:53.934184074 CET5874972477.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:54.266899109 CET5874972477.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:54.267311096 CET49724587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:54.386964083 CET5874972477.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:54.811558962 CET5874972477.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:54.811928034 CET49724587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:54.931483984 CET5874972477.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:55.089289904 CET49724587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:55.151755095 CET49725587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:55.209181070 CET5874972477.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:55.209320068 CET49724587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:55.271460056 CET5874972577.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:55.271656990 CET49725587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:56.866539955 CET5874972577.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:56.866795063 CET49725587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:56.986398935 CET5874972577.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:57.316844940 CET5874972577.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:57.317082882 CET49725587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:57.436670065 CET5874972577.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:57.767049074 CET5874972577.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:57.769993067 CET49725587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:57.889501095 CET5874972577.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:58.221494913 CET5874972577.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:58.221527100 CET5874972577.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:58.221543074 CET5874972577.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:58.221637964 CET5874972577.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:58.221659899 CET49725587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:58.221716881 CET49725587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:58.223891020 CET49725587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:58.343344927 CET5874972577.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:58.674359083 CET5874972577.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:58.676506996 CET49725587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:58.796061993 CET5874972577.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:59.126643896 CET5874972577.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:59.132771015 CET49725587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:59.252377987 CET5874972577.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:59.583008051 CET5874972577.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:59.584043980 CET49725587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:59.703581095 CET5874972577.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:59.760551929 CET49725587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:59.880387068 CET5874972577.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:01:59.880496025 CET49725587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:01:59.881925106 CET49726587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:00.001447916 CET5874972677.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:00.001539946 CET49726587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:00.619906902 CET49726587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:00.674807072 CET49727587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:00.739612103 CET5874972677.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:00.740216017 CET49726587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:00.794394016 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:00.794672012 CET49727587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:02.096016884 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:02.197263956 CET49727587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:02.267744064 CET49727587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:02.387365103 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:02.722081900 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:02.722358942 CET49727587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:02.842008114 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:03.176445007 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:03.176908016 CET49727587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:03.296544075 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:03.632788897 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:03.632854939 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:03.632872105 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:03.632935047 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:03.632960081 CET49727587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:03.633007050 CET49727587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:03.636759043 CET49727587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:03.756274939 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:04.091249943 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:04.093887091 CET49727587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:04.213510990 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:04.548048973 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:04.548305035 CET49727587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:04.667933941 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:05.002496958 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:05.003144979 CET49727587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:05.122817039 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:05.674797058 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:05.675101042 CET49727587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:05.794900894 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:06.146238089 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:06.146507978 CET49727587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:06.265980005 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:06.705243111 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:06.706898928 CET49727587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:06.826494932 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.161269903 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.163050890 CET49727587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:07.163146019 CET49727587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:07.163146019 CET49727587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:07.163397074 CET49727587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:07.166673899 CET49727587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:07.282603025 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.282746077 CET49727587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:07.282819033 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.282903910 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.282915115 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.283013105 CET49727587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:07.286412001 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.286433935 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.286530972 CET49727587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:07.286556005 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.286607027 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.286659002 CET49727587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:07.286715984 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.286736012 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.286772966 CET49727587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:07.286864996 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.286901951 CET49727587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:07.286910057 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.286947966 CET49727587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:07.286993027 CET49727587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:07.287005901 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.287166119 CET49727587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:07.402478933 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.402509928 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.402740002 CET49727587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:07.406083107 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.406359911 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.406500101 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.406578064 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.406630993 CET49727587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:07.406632900 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.406733990 CET49727587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:07.406793118 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.406860113 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.406984091 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.407040119 CET49727587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:07.407376051 CET49727587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:07.450172901 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.450309038 CET49727587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:07.522592068 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.522675991 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.522804022 CET49727587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:07.526246071 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.526309013 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.526395082 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.526446104 CET49727587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:07.526514053 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.526642084 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.526740074 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.526767015 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.526828051 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.526892900 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.527018070 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.527076006 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.527173996 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.527201891 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.527309895 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.527333021 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.527407885 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.527421951 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.527489901 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.527513981 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.527601004 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.527615070 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.527750969 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.527764082 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.527801991 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.569905043 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.569932938 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.642437935 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.642529964 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.642667055 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.642679930 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.642719984 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.642838001 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.642945051 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.643143892 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.645965099 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.646157980 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.646209955 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.646332979 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.646357059 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.646467924 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.646491051 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.646667004 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.838335991 CET49727587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:07.905348063 CET49728587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:07.958152056 CET5874972777.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:07.958225965 CET49727587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:08.026576042 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:08.026659012 CET49728587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:09.331247091 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:09.341587067 CET49728587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:09.461076975 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:09.791098118 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:09.791348934 CET49728587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:09.910798073 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:10.240593910 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:10.240983009 CET49728587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:10.360456944 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:10.691862106 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:10.691876888 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:10.691890955 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:10.691904068 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:10.692044973 CET49728587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:10.692044973 CET49728587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:10.694001913 CET49728587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:10.813657045 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:11.143937111 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:11.146090984 CET49728587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:11.265815020 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:11.595784903 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:11.603333950 CET49728587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:11.723062038 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:12.052951097 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:12.079339027 CET49728587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:12.198996067 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:12.545521021 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:12.545747995 CET49728587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:12.665261030 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:13.002233982 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:13.002505064 CET49728587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:13.122195959 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:13.542254925 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:13.542521954 CET49728587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:13.662151098 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:13.992208004 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:13.992945910 CET49728587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:13.993052959 CET49728587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:13.993165016 CET49728587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:13.993309975 CET49728587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:13.997885942 CET49728587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:14.112535000 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.112633944 CET49728587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:14.112721920 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.112744093 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.112829924 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.112870932 CET49728587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:14.117578983 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.117597103 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.117630959 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.117641926 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.117661953 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.117674112 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.117830992 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.117847919 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.117851019 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.119205952 CET49728587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:14.232263088 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.232325077 CET49728587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:14.232357025 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.232431889 CET49728587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:14.238845110 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.238904953 CET49728587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:14.238933086 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.239017010 CET49728587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:14.239172935 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.239227057 CET49728587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:14.239279985 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.239342928 CET49728587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:14.239358902 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.239424944 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.239427090 CET49728587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:14.239471912 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.239530087 CET49728587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:14.239535093 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.239615917 CET49728587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:14.239635944 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.239691019 CET49728587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:14.352266073 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.352281094 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.352335930 CET49728587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:14.352372885 CET49728587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:14.359503984 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.359518051 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.359527111 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.359599113 CET49728587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:14.360186100 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.360332012 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.360481024 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.360670090 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.360796928 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.360805988 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.360816002 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.360824108 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.361083984 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.361100912 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.361109018 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.361116886 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.361219883 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.361233950 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.361243010 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.361251116 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.361258984 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.361267090 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.361341953 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.361352921 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.361361027 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.361368895 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.361377001 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.472088099 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.472177029 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.472188950 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.472198009 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.472275972 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.472286940 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.472378969 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.472388983 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.479324102 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.479332924 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.479336977 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.479345083 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.479439020 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.479449987 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.479460955 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:14.479579926 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:15.426558018 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:15.494566917 CET49728587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:23.751395941 CET49728587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:23.871071100 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:24.200666904 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:24.201162100 CET49728587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:24.201164961 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:24.201267958 CET49728587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:24.202750921 CET49729587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:24.320837975 CET5874972877.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:24.322237015 CET5874972977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:24.322330952 CET49729587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:24.667058945 CET49729587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:24.742705107 CET49730587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:24.786978006 CET5874972977.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:24.788811922 CET49729587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:24.862257004 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:24.864873886 CET49730587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:26.334590912 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:26.334744930 CET49730587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:26.454217911 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:26.796333075 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:26.799345016 CET49730587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:26.918993950 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:27.261001110 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:27.261632919 CET49730587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:27.381108999 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:27.725318909 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:27.725367069 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:27.725379944 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:27.725424051 CET49730587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:27.725492954 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:27.725529909 CET49730587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:27.728292942 CET49730587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:27.847815037 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:28.190289974 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:28.192471027 CET49730587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:28.312016010 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:28.654011965 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:28.654386044 CET49730587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:28.773947954 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:29.116342068 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:29.117436886 CET49730587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:29.236947060 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:29.604239941 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:29.604497910 CET49730587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:29.724163055 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:30.078571081 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:30.078865051 CET49730587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:30.198335886 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:30.647047043 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:30.647289038 CET49730587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:30.766851902 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.108983994 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.109420061 CET49730587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:31.109420061 CET49730587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:31.109488010 CET49730587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:31.109778881 CET49730587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:31.111121893 CET49730587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:31.228995085 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.229024887 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.229034901 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.229134083 CET49730587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:31.229201078 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.229367971 CET49730587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:31.230640888 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.230664968 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.230726957 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.230727911 CET49730587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:31.230767012 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.230828047 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.230895996 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.230912924 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.230927944 CET49730587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:31.230978966 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.230984926 CET49730587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:31.231009007 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.231055021 CET49730587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:31.231055021 CET49730587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:31.348747969 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.348822117 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.348831892 CET49730587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:31.348998070 CET49730587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:31.350358963 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.350420952 CET49730587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:31.350436926 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.350466967 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.350529909 CET49730587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:31.350545883 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.350575924 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.350640059 CET49730587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:31.350692987 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.350795984 CET49730587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:31.350868940 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.350898027 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.350977898 CET49730587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:31.394181967 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.394712925 CET49730587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:31.468585014 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.468647957 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.468688011 CET49730587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:31.470191956 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.470375061 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.470406055 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.470449924 CET49730587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:31.470545053 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.470550060 CET49730587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:31.470575094 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.470701933 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.470752954 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.470866919 CET49730587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:31.471024990 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.471164942 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.471251965 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.471362114 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.471414089 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.471442938 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.471544981 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.471596003 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.471683979 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.471714020 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.471765041 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.471792936 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.471844912 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.471873999 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.471924067 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.471951962 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.471988916 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.514472961 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.514861107 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.588283062 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.588305950 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.588335037 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.588427067 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.590100050 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.590207100 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.590226889 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.590511084 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.590519905 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.590595961 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.590606928 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.590682983 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.590699911 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.590842962 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.590852976 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.590939999 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:31.590950012 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:32.368443012 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:32.416115046 CET49730587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:47.530380011 CET49730587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:47.649935961 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:47.993133068 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:47.993261099 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:47.993309975 CET49730587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:47.994071007 CET49730587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:47.999114990 CET49731587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:48.113528967 CET5874973077.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:48.118702888 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:48.118772030 CET49731587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:49.476480007 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:49.506263971 CET49731587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:49.625905037 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:49.973732948 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:49.974174976 CET49731587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:50.093797922 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:50.441678047 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:50.442301989 CET49731587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:50.561866999 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:50.910923004 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:50.910950899 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:50.910963058 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:50.910985947 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:50.911025047 CET49731587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:50.911113024 CET49731587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:50.913039923 CET49731587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:51.032567978 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:51.380740881 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:51.383070946 CET49731587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:51.502616882 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:51.850466967 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:51.850703955 CET49731587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:51.970870972 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:52.318233013 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:52.362323999 CET49731587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:52.481888056 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:52.848896980 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:52.862324953 CET49731587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:52.981858015 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:53.339031935 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:53.339405060 CET49731587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:53.459002018 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:53.900409937 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:53.900734901 CET49731587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:54.020323038 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:54.368187904 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:54.368697882 CET49731587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:54.368793011 CET49731587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:54.368825912 CET49731587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:54.368916988 CET49731587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:54.371001959 CET49731587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:54.488358021 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:54.488374949 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:54.488385916 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:54.488399982 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:54.488426924 CET49731587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:54.488468885 CET49731587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:54.490567923 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:54.490578890 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:54.490627050 CET49731587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:54.490648985 CET49731587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:54.490741968 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:54.490804911 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:54.490845919 CET49731587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:54.490855932 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:54.490874052 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:54.490912914 CET49731587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:54.490976095 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:54.490987062 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:54.491003036 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:54.491030931 CET49731587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:54.491055012 CET49731587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:54.608123064 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:54.608139038 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:54.610132933 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:54.610183954 CET49731587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:54.610209942 CET49731587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:54.610224009 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:54.610387087 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:54.610447884 CET49731587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:54.610553026 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:54.610661030 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:54.610677958 CET49731587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:54.610712051 CET49731587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:54.610771894 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:54.610821962 CET49731587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:54.610995054 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:54.611040115 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:54.611109018 CET49731587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:54.730272055 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:54.730310917 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:54.730320930 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:54.730377913 CET49731587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:54.730417967 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:54.730427980 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:54.730442047 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:54.730487108 CET49731587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:54.730508089 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:54.730655909 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:54.730695963 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:54.730705976 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:54.730716944 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:54.730726004 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:54.730854034 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:54.730871916 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:54.730931997 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:54.730978012 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:54.731020927 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:54.731038094 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:54.731081009 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:54.731112957 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:54.731158018 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:54.731216908 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:54.849953890 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:54.849976063 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:54.850125074 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:54.850136042 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:54.850225925 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:54.850258112 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:54.850301981 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:54.850353956 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:54.850449085 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:54.850459099 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:54.850531101 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:54.850557089 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:54.850675106 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:54.850686073 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:54.850783110 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:54.850795984 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:57.124365091 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:57.197371960 CET49731587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:59.362677097 CET49731587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:59.482141018 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:59.829936981 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:59.830099106 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:59.830149889 CET49731587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:59.830470085 CET49731587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:59.832057953 CET49732587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:02:59.949903011 CET5874973177.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:59.951579094 CET5874973277.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:02:59.951663971 CET49732587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:03:01.255276918 CET5874973277.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:03:01.258794069 CET49732587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:03:01.378285885 CET5874973277.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:03:01.709136963 CET5874973277.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:03:01.712881088 CET49732587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:03:01.832482100 CET5874973277.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:03:02.163244009 CET5874973277.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:03:02.163692951 CET49732587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:03:02.283222914 CET5874973277.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:03:02.616301060 CET5874973277.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:03:02.616386890 CET5874973277.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:03:02.616424084 CET5874973277.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:03:02.616450071 CET49732587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:03:02.616467953 CET5874973277.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:03:02.616519928 CET49732587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:03:02.618617058 CET49732587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:03:02.738230944 CET5874973277.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:03:03.069268942 CET5874973277.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:03:03.074233055 CET49732587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:03:03.193695068 CET5874973277.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:03:03.526655912 CET5874973277.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:03:03.697529078 CET49732587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:03:03.724901915 CET49732587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:03:03.844495058 CET5874973277.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:03:04.175615072 CET5874973277.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:03:04.175942898 CET49732587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:03:04.295634985 CET5874973277.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:03:04.654153109 CET5874973277.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:03:04.654377937 CET49732587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:03:04.773876905 CET5874973277.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:03:04.838413954 CET49732587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:03:04.894248962 CET49733587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:03:04.958173037 CET5874973277.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:03:04.958317041 CET49732587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:03:05.329916000 CET5874973377.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:03:05.330176115 CET49733587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:03:06.463217020 CET49733587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:03:06.535111904 CET49734587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:03:06.583009958 CET5874973377.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:03:06.583187103 CET49733587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:03:06.654988050 CET5874973477.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:03:06.658734083 CET49734587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:03:08.001972914 CET5874973477.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:03:08.002123117 CET49734587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:03:08.122936010 CET5874973477.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:03:08.457690954 CET5874973477.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:03:08.583445072 CET49734587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:03:11.019489050 CET49734587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:03:11.019598007 CET49734587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:03:11.061733961 CET49735587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:03:11.139678955 CET5874973477.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:03:11.140620947 CET5874973477.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:03:11.140672922 CET49734587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:03:11.181310892 CET5874973577.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:03:11.181406021 CET49735587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:03:12.627636909 CET5874973577.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:03:12.627813101 CET49735587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:03:12.747354031 CET5874973577.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:03:13.080108881 CET5874973577.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:03:13.082837105 CET49735587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:03:13.202405930 CET5874973577.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:03:13.534908056 CET5874973577.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:03:13.535376072 CET49735587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:03:13.654939890 CET5874973577.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:03:13.990890026 CET5874973577.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:03:13.990921021 CET5874973577.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:03:13.990933895 CET5874973577.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:03:13.990972042 CET5874973577.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:03:13.991157055 CET49735587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:03:13.991157055 CET49735587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:03:13.992985964 CET49735587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:03:14.112443924 CET5874973577.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:03:14.445144892 CET5874973577.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:03:14.446099997 CET49735587192.168.2.877.88.21.158
                                                          Nov 21, 2024 09:03:14.565712929 CET5874973577.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:03:14.898821115 CET5874973577.88.21.158192.168.2.8
                                                          Nov 21, 2024 09:03:14.947379112 CET49735587192.168.2.877.88.21.158

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Nov 21, 2024 08:59:05.413388968 CET5936453192.168.2.81.1.1.1
                                                          Nov 21, 2024 08:59:05.639143944 CET53593641.1.1.1192.168.2.8
                                                          Nov 21, 2024 08:59:08.034331083 CET6080153192.168.2.81.1.1.1
                                                          Nov 21, 2024 08:59:08.260533094 CET53608011.1.1.1192.168.2.8

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                          Nov 21, 2024 08:59:05.413388968 CET192.168.2.81.1.1.10x6cc1Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                          Nov 21, 2024 08:59:08.034331083 CET192.168.2.81.1.1.10xe01fStandard query (0)smtp.yandex.comA (IP address)IN (0x0001)false

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                          Nov 21, 2024 08:59:05.639143944 CET1.1.1.1192.168.2.80x6cc1No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                          Nov 21, 2024 08:59:05.639143944 CET1.1.1.1192.168.2.80x6cc1No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                          Nov 21, 2024 08:59:05.639143944 CET1.1.1.1192.168.2.80x6cc1No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                          Nov 21, 2024 08:59:08.260533094 CET1.1.1.1192.168.2.80xe01fNo error (0)smtp.yandex.comsmtp.yandex.ruCNAME (Canonical name)IN (0x0001)false
                                                          Nov 21, 2024 08:59:08.260533094 CET1.1.1.1192.168.2.80xe01fNo error (0)smtp.yandex.ru77.88.21.158A (IP address)IN (0x0001)false

                                                          HTTP Request Dependency Graph

                                                          • api.ipify.org

                                                          HTTPS Proxied Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          0192.168.2.849709104.26.13.2054437824C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-11-21 07:59:07 UTC155OUTGET / HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                          Host: api.ipify.org
                                                          Connection: Keep-Alive
                                                          2024-11-21 07:59:07 UTC399INHTTP/1.1 200 OK
                                                          Date: Thu, 21 Nov 2024 07:59:07 GMT
                                                          Content-Type: text/plain
                                                          Content-Length: 11
                                                          Connection: close
                                                          Vary: Origin
                                                          CF-Cache-Status: DYNAMIC
                                                          Server: cloudflare
                                                          CF-RAY: 8e5f2375cd88434f-EWR
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1742&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2821&recv_bytes=769&delivery_rate=1636771&cwnd=241&unsent_bytes=0&cid=520cd1cf78025bfb&ts=452&x=0"
                                                          2024-11-21 07:59:07 UTC11INData Raw: 38 2e 34 36 2e 31 32 33 2e 37 35
                                                          Data Ascii: 8.46.123.75


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          1192.168.2.849713104.26.13.205443332C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-11-21 07:59:12 UTC155OUTGET / HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                          Host: api.ipify.org
                                                          Connection: Keep-Alive
                                                          2024-11-21 07:59:12 UTC399INHTTP/1.1 200 OK
                                                          Date: Thu, 21 Nov 2024 07:59:12 GMT
                                                          Content-Type: text/plain
                                                          Content-Length: 11
                                                          Connection: close
                                                          Vary: Origin
                                                          CF-Cache-Status: DYNAMIC
                                                          Server: cloudflare
                                                          CF-RAY: 8e5f2396f8dd7c88-EWR
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=2033&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2820&recv_bytes=769&delivery_rate=1446977&cwnd=211&unsent_bytes=0&cid=aab191f560b962a4&ts=701&x=0"
                                                          2024-11-21 07:59:12 UTC11INData Raw: 38 2e 34 36 2e 31 32 33 2e 37 35
                                                          Data Ascii: 8.46.123.75


                                                          SMTP Packets

                                                          TimestampSource PortDest PortSource IPDest IPCommands
                                                          Nov 21, 2024 08:59:09.775053024 CET5874971177.88.21.158192.168.2.8220 mail-nwsmtp-smtp-production-main-42.klg.yp-c.yandex.net Ok 1732175949-9xNw051OcGk0
                                                          Nov 21, 2024 08:59:09.793895960 CET49711587192.168.2.877.88.21.158EHLO 820094
                                                          Nov 21, 2024 08:59:10.241309881 CET5874971177.88.21.158192.168.2.8250-mail-nwsmtp-smtp-production-main-42.klg.yp-c.yandex.net
                                                          250-8BITMIME
                                                          250-PIPELINING
                                                          250-SIZE 53477376
                                                          250-STARTTLS
                                                          250-AUTH LOGIN PLAIN XOAUTH2
                                                          250-DSN
                                                          250 ENHANCEDSTATUSCODES
                                                          Nov 21, 2024 08:59:10.241708994 CET49711587192.168.2.877.88.21.158STARTTLS
                                                          Nov 21, 2024 08:59:10.689356089 CET5874971177.88.21.158192.168.2.8220 Go ahead
                                                          Nov 21, 2024 08:59:14.924953938 CET5874971477.88.21.158192.168.2.8220 mail-nwsmtp-smtp-production-main-23.myt.yp-c.yandex.net Ok 1732175954-ExNs5w0OlOs0
                                                          Nov 21, 2024 08:59:14.925234079 CET49714587192.168.2.877.88.21.158EHLO 820094
                                                          Nov 21, 2024 08:59:15.368109941 CET5874971477.88.21.158192.168.2.8250-mail-nwsmtp-smtp-production-main-23.myt.yp-c.yandex.net
                                                          250-8BITMIME
                                                          250-PIPELINING
                                                          250-SIZE 53477376
                                                          250-STARTTLS
                                                          250-AUTH LOGIN PLAIN XOAUTH2
                                                          250-DSN
                                                          250 ENHANCEDSTATUSCODES
                                                          Nov 21, 2024 08:59:15.368321896 CET49714587192.168.2.877.88.21.158STARTTLS
                                                          Nov 21, 2024 08:59:15.810998917 CET5874971477.88.21.158192.168.2.8220 Go ahead
                                                          Nov 21, 2024 08:59:23.162616968 CET5874971777.88.21.158192.168.2.8220 mail-nwsmtp-smtp-production-main-18.vla.yp-c.yandex.net Ok 1732175962-MxNQ4I1Oq0U0
                                                          Nov 21, 2024 08:59:23.162806988 CET49717587192.168.2.877.88.21.158EHLO 820094
                                                          Nov 21, 2024 08:59:23.616193056 CET5874971777.88.21.158192.168.2.8250-mail-nwsmtp-smtp-production-main-18.vla.yp-c.yandex.net
                                                          250-8BITMIME
                                                          250-PIPELINING
                                                          250-SIZE 53477376
                                                          250-STARTTLS
                                                          250-AUTH LOGIN PLAIN XOAUTH2
                                                          250-DSN
                                                          250 ENHANCEDSTATUSCODES
                                                          Nov 21, 2024 08:59:23.616436005 CET49717587192.168.2.877.88.21.158STARTTLS
                                                          Nov 21, 2024 08:59:24.069895983 CET5874971777.88.21.158192.168.2.8220 Go ahead
                                                          Nov 21, 2024 09:00:59.765435934 CET5874971977.88.21.158192.168.2.8220 mail-nwsmtp-smtp-production-main-49.vla.yp-c.yandex.net Ok 1732176059-w0O1PE1Om4Y0
                                                          Nov 21, 2024 09:00:59.765605927 CET49719587192.168.2.877.88.21.158EHLO 820094
                                                          Nov 21, 2024 09:01:00.228880882 CET5874971977.88.21.158192.168.2.8250-mail-nwsmtp-smtp-production-main-49.vla.yp-c.yandex.net
                                                          250-8BITMIME
                                                          250-PIPELINING
                                                          250-SIZE 53477376
                                                          250-STARTTLS
                                                          250-AUTH LOGIN PLAIN XOAUTH2
                                                          250-DSN
                                                          250 ENHANCEDSTATUSCODES
                                                          Nov 21, 2024 09:01:00.229068995 CET49719587192.168.2.877.88.21.158STARTTLS
                                                          Nov 21, 2024 09:01:00.692471027 CET5874971977.88.21.158192.168.2.8220 Go ahead
                                                          Nov 21, 2024 09:01:27.731267929 CET5874972077.88.21.158192.168.2.8220 mail-nwsmtp-smtp-production-main-22.iva.yp-c.yandex.net Ok 1732176087-R1Ot4p0OciE0
                                                          Nov 21, 2024 09:01:27.731430054 CET49720587192.168.2.877.88.21.158EHLO 820094
                                                          Nov 21, 2024 09:01:28.168982029 CET5874972077.88.21.158192.168.2.8250-mail-nwsmtp-smtp-production-main-22.iva.yp-c.yandex.net
                                                          250-8BITMIME
                                                          250-PIPELINING
                                                          250-SIZE 53477376
                                                          250-STARTTLS
                                                          250-AUTH LOGIN PLAIN XOAUTH2
                                                          250-DSN
                                                          250 ENHANCEDSTATUSCODES
                                                          Nov 21, 2024 09:01:28.170788050 CET49720587192.168.2.877.88.21.158STARTTLS
                                                          Nov 21, 2024 09:01:28.608447075 CET5874972077.88.21.158192.168.2.8220 Go ahead
                                                          Nov 21, 2024 09:01:35.180351973 CET5874972177.88.21.158192.168.2.8220 mail-nwsmtp-smtp-production-main-39.klg.yp-c.yandex.net Ok 1732176094-Y1OI781OnmI0
                                                          Nov 21, 2024 09:01:35.180589914 CET49721587192.168.2.877.88.21.158EHLO 820094
                                                          Nov 21, 2024 09:01:35.630357027 CET5874972177.88.21.158192.168.2.8250-mail-nwsmtp-smtp-production-main-39.klg.yp-c.yandex.net
                                                          250-8BITMIME
                                                          250-PIPELINING
                                                          250-SIZE 53477376
                                                          250-STARTTLS
                                                          250-AUTH LOGIN PLAIN XOAUTH2
                                                          250-DSN
                                                          250 ENHANCEDSTATUSCODES
                                                          Nov 21, 2024 09:01:35.630691051 CET49721587192.168.2.877.88.21.158STARTTLS
                                                          Nov 21, 2024 09:01:36.080534935 CET5874972177.88.21.158192.168.2.8220 Go ahead
                                                          Nov 21, 2024 09:01:45.297375917 CET5874972277.88.21.158192.168.2.8220 mail-nwsmtp-smtp-production-main-18.iva.yp-c.yandex.net Ok 1732176105-i1OVeq0OpCg0
                                                          Nov 21, 2024 09:01:45.302762032 CET49722587192.168.2.877.88.21.158EHLO 820094
                                                          Nov 21, 2024 09:01:45.744306087 CET5874972277.88.21.158192.168.2.8250-mail-nwsmtp-smtp-production-main-18.iva.yp-c.yandex.net
                                                          250-8BITMIME
                                                          250-PIPELINING
                                                          250-SIZE 53477376
                                                          250-STARTTLS
                                                          250-AUTH LOGIN PLAIN XOAUTH2
                                                          250-DSN
                                                          250 ENHANCEDSTATUSCODES
                                                          Nov 21, 2024 09:01:45.744509935 CET49722587192.168.2.877.88.21.158STARTTLS
                                                          Nov 21, 2024 09:01:46.189580917 CET5874972277.88.21.158192.168.2.8220 Go ahead
                                                          Nov 21, 2024 09:01:47.704070091 CET5874972377.88.21.158192.168.2.8220 mail-nwsmtp-smtp-production-main-64.vla.yp-c.yandex.net Ok 1732176107-l1OWL81OnOs0
                                                          Nov 21, 2024 09:01:47.718101978 CET49723587192.168.2.877.88.21.158EHLO 820094
                                                          Nov 21, 2024 09:01:48.172209978 CET5874972377.88.21.158192.168.2.8250-mail-nwsmtp-smtp-production-main-64.vla.yp-c.yandex.net
                                                          250-8BITMIME
                                                          250-PIPELINING
                                                          250-SIZE 53477376
                                                          250-STARTTLS
                                                          250-AUTH LOGIN PLAIN XOAUTH2
                                                          250-DSN
                                                          250 ENHANCEDSTATUSCODES
                                                          Nov 21, 2024 09:01:48.172369957 CET49723587192.168.2.877.88.21.158STARTTLS
                                                          Nov 21, 2024 09:01:48.626774073 CET5874972377.88.21.158192.168.2.8220 Go ahead
                                                          Nov 21, 2024 09:01:50.551084995 CET5874972477.88.21.158192.168.2.8220 mail-nwsmtp-smtp-production-main-46.sas.yp-c.yandex.net Ok 1732176110-o1OWC81Op8c0
                                                          Nov 21, 2024 09:01:50.642216921 CET49724587192.168.2.877.88.21.158EHLO 820094
                                                          Nov 21, 2024 09:01:51.091264963 CET5874972477.88.21.158192.168.2.8250-mail-nwsmtp-smtp-production-main-46.sas.yp-c.yandex.net
                                                          250-8BITMIME
                                                          250-PIPELINING
                                                          250-SIZE 53477376
                                                          250-STARTTLS
                                                          250-AUTH LOGIN PLAIN XOAUTH2
                                                          250-DSN
                                                          250 ENHANCEDSTATUSCODES
                                                          Nov 21, 2024 09:01:51.091885090 CET49724587192.168.2.877.88.21.158STARTTLS
                                                          Nov 21, 2024 09:01:51.541202068 CET5874972477.88.21.158192.168.2.8220 Go ahead
                                                          Nov 21, 2024 09:01:56.866539955 CET5874972577.88.21.158192.168.2.8220 mail-nwsmtp-smtp-production-main-81.vla.yp-c.yandex.net Ok 1732176116-u1OcO41OqOs0
                                                          Nov 21, 2024 09:01:56.866795063 CET49725587192.168.2.877.88.21.158EHLO 820094
                                                          Nov 21, 2024 09:01:57.316844940 CET5874972577.88.21.158192.168.2.8250-mail-nwsmtp-smtp-production-main-81.vla.yp-c.yandex.net
                                                          250-8BITMIME
                                                          250-PIPELINING
                                                          250-SIZE 53477376
                                                          250-STARTTLS
                                                          250-AUTH LOGIN PLAIN XOAUTH2
                                                          250-DSN
                                                          250 ENHANCEDSTATUSCODES
                                                          Nov 21, 2024 09:01:57.317082882 CET49725587192.168.2.877.88.21.158STARTTLS
                                                          Nov 21, 2024 09:01:57.767049074 CET5874972577.88.21.158192.168.2.8220 Go ahead
                                                          Nov 21, 2024 09:02:02.096016884 CET5874972777.88.21.158192.168.2.8220 mail-nwsmtp-smtp-production-main-36.iva.yp-c.yandex.net Ok 1732176121-12OcPn0OiuQ0
                                                          Nov 21, 2024 09:02:02.267744064 CET49727587192.168.2.877.88.21.158EHLO 820094
                                                          Nov 21, 2024 09:02:02.722081900 CET5874972777.88.21.158192.168.2.8250-mail-nwsmtp-smtp-production-main-36.iva.yp-c.yandex.net
                                                          250-8BITMIME
                                                          250-PIPELINING
                                                          250-SIZE 53477376
                                                          250-STARTTLS
                                                          250-AUTH LOGIN PLAIN XOAUTH2
                                                          250-DSN
                                                          250 ENHANCEDSTATUSCODES
                                                          Nov 21, 2024 09:02:02.722358942 CET49727587192.168.2.877.88.21.158STARTTLS
                                                          Nov 21, 2024 09:02:03.176445007 CET5874972777.88.21.158192.168.2.8220 Go ahead
                                                          Nov 21, 2024 09:02:09.331247091 CET5874972877.88.21.158192.168.2.8220 mail-nwsmtp-smtp-production-main-84.vla.yp-c.yandex.net Ok 1732176129-82Ovs11OhW20
                                                          Nov 21, 2024 09:02:09.341587067 CET49728587192.168.2.877.88.21.158EHLO 820094
                                                          Nov 21, 2024 09:02:09.791098118 CET5874972877.88.21.158192.168.2.8250-mail-nwsmtp-smtp-production-main-84.vla.yp-c.yandex.net
                                                          250-8BITMIME
                                                          250-PIPELINING
                                                          250-SIZE 53477376
                                                          250-STARTTLS
                                                          250-AUTH LOGIN PLAIN XOAUTH2
                                                          250-DSN
                                                          250 ENHANCEDSTATUSCODES
                                                          Nov 21, 2024 09:02:09.791348934 CET49728587192.168.2.877.88.21.158STARTTLS
                                                          Nov 21, 2024 09:02:10.240593910 CET5874972877.88.21.158192.168.2.8220 Go ahead
                                                          Nov 21, 2024 09:02:26.334590912 CET5874973077.88.21.158192.168.2.8220 mail-nwsmtp-smtp-production-main-33.iva.yp-c.yandex.net Ok 1732176146-P2OtFp0OkeA0
                                                          Nov 21, 2024 09:02:26.334744930 CET49730587192.168.2.877.88.21.158EHLO 820094
                                                          Nov 21, 2024 09:02:26.796333075 CET5874973077.88.21.158192.168.2.8250-mail-nwsmtp-smtp-production-main-33.iva.yp-c.yandex.net
                                                          250-8BITMIME
                                                          250-PIPELINING
                                                          250-SIZE 53477376
                                                          250-STARTTLS
                                                          250-AUTH LOGIN PLAIN XOAUTH2
                                                          250-DSN
                                                          250 ENHANCEDSTATUSCODES
                                                          Nov 21, 2024 09:02:26.799345016 CET49730587192.168.2.877.88.21.158STARTTLS
                                                          Nov 21, 2024 09:02:27.261001110 CET5874973077.88.21.158192.168.2.8220 Go ahead
                                                          Nov 21, 2024 09:02:49.476480007 CET5874973177.88.21.158192.168.2.8220 mail-nwsmtp-smtp-production-main-18.vla.yp-c.yandex.net Ok 1732176169-n2O75K1OoOs0
                                                          Nov 21, 2024 09:02:49.506263971 CET49731587192.168.2.877.88.21.158EHLO 820094
                                                          Nov 21, 2024 09:02:49.973732948 CET5874973177.88.21.158192.168.2.8250-mail-nwsmtp-smtp-production-main-18.vla.yp-c.yandex.net
                                                          250-8BITMIME
                                                          250-PIPELINING
                                                          250-SIZE 53477376
                                                          250-STARTTLS
                                                          250-AUTH LOGIN PLAIN XOAUTH2
                                                          250-DSN
                                                          250 ENHANCEDSTATUSCODES
                                                          Nov 21, 2024 09:02:49.974174976 CET49731587192.168.2.877.88.21.158STARTTLS
                                                          Nov 21, 2024 09:02:50.441678047 CET5874973177.88.21.158192.168.2.8220 Go ahead
                                                          Nov 21, 2024 09:03:01.255276918 CET5874973277.88.21.158192.168.2.8220 mail-nwsmtp-smtp-production-main-42.myt.yp-c.yandex.net Ok 1732176180-03O4Dt0OpGk0
                                                          Nov 21, 2024 09:03:01.258794069 CET49732587192.168.2.877.88.21.158EHLO 820094
                                                          Nov 21, 2024 09:03:01.709136963 CET5874973277.88.21.158192.168.2.8250-mail-nwsmtp-smtp-production-main-42.myt.yp-c.yandex.net
                                                          250-8BITMIME
                                                          250-PIPELINING
                                                          250-SIZE 53477376
                                                          250-STARTTLS
                                                          250-AUTH LOGIN PLAIN XOAUTH2
                                                          250-DSN
                                                          250 ENHANCEDSTATUSCODES
                                                          Nov 21, 2024 09:03:01.712881088 CET49732587192.168.2.877.88.21.158STARTTLS
                                                          Nov 21, 2024 09:03:02.163244009 CET5874973277.88.21.158192.168.2.8220 Go ahead
                                                          Nov 21, 2024 09:03:08.001972914 CET5874973477.88.21.158192.168.2.8220 mail-nwsmtp-smtp-production-main-57.myt.yp-c.yandex.net Ok 1732176187-73OnOs0OhuQ0
                                                          Nov 21, 2024 09:03:08.002123117 CET49734587192.168.2.877.88.21.158EHLO 820094
                                                          Nov 21, 2024 09:03:08.457690954 CET5874973477.88.21.158192.168.2.8250-mail-nwsmtp-smtp-production-main-57.myt.yp-c.yandex.net
                                                          250-8BITMIME
                                                          250-PIPELINING
                                                          250-SIZE 53477376
                                                          250-STARTTLS
                                                          250-AUTH LOGIN PLAIN XOAUTH2
                                                          250-DSN
                                                          250 ENHANCEDSTATUSCODES
                                                          Nov 21, 2024 09:03:11.019489050 CET49734587192.168.2.877.88.21.158STARTTLS
                                                          Nov 21, 2024 09:03:12.627636909 CET5874973577.88.21.158192.168.2.8220 mail-nwsmtp-smtp-production-main-46.myt.yp-c.yandex.net Ok 1732176192-C3OuVs0Oj4Y0
                                                          Nov 21, 2024 09:03:12.627813101 CET49735587192.168.2.877.88.21.158EHLO 820094
                                                          Nov 21, 2024 09:03:13.080108881 CET5874973577.88.21.158192.168.2.8250-mail-nwsmtp-smtp-production-main-46.myt.yp-c.yandex.net
                                                          250-8BITMIME
                                                          250-PIPELINING
                                                          250-SIZE 53477376
                                                          250-STARTTLS
                                                          250-AUTH LOGIN PLAIN XOAUTH2
                                                          250-DSN
                                                          250 ENHANCEDSTATUSCODES
                                                          Nov 21, 2024 09:03:13.082837105 CET49735587192.168.2.877.88.21.158STARTTLS
                                                          Nov 21, 2024 09:03:13.534908056 CET5874973577.88.21.158192.168.2.8220 Go ahead

                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          High Level Behavior Distribution

                                                          Click to dive into process behavior distribution

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          General

                                                          Target ID:0
                                                          Start time:02:59:00
                                                          Start date:21/11/2024
                                                          Path:C:\Users\user\Desktop\datasheet.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\datasheet.exe"
                                                          Imagebase:0xb60000
                                                          File size:654'336 bytes
                                                          MD5 hash:27270BF6A969355E90E16289379CD6D1
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1449663902.0000000003F89000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1449663902.0000000003F89000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:3
                                                          Start time:02:59:01
                                                          Start date:21/11/2024
                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\datasheet.exe"
                                                          Imagebase:0x180000
                                                          File size:433'152 bytes
                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:4
                                                          Start time:02:59:01
                                                          Start date:21/11/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6ee680000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:5
                                                          Start time:02:59:01
                                                          Start date:21/11/2024
                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rjBdvmaV.exe"
                                                          Imagebase:0x180000
                                                          File size:433'152 bytes
                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:6
                                                          Start time:02:59:02
                                                          Start date:21/11/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6ee680000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:7
                                                          Start time:02:59:02
                                                          Start date:21/11/2024
                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rjBdvmaV" /XML "C:\Users\user\AppData\Local\Temp\tmp43D7.tmp"
                                                          Imagebase:0x430000
                                                          File size:187'904 bytes
                                                          MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:8
                                                          Start time:02:59:02
                                                          Start date:21/11/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6ee680000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:9
                                                          Start time:02:59:03
                                                          Start date:21/11/2024
                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                          Imagebase:0x10000
                                                          File size:45'984 bytes
                                                          MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.1481776134.00000000022CC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.1479276700.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.1479276700.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.1481776134.00000000022A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.1481776134.00000000022A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:10
                                                          Start time:02:59:04
                                                          Start date:21/11/2024
                                                          Path:C:\Users\user\AppData\Roaming\rjBdvmaV.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Users\user\AppData\Roaming\rjBdvmaV.exe
                                                          Imagebase:0x130000
                                                          File size:654'336 bytes
                                                          MD5 hash:27270BF6A969355E90E16289379CD6D1
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Antivirus matches:
                                                          • Detection: 100%, Avira
                                                          • Detection: 100%, Joe Sandbox ML
                                                          • Detection: 53%, ReversingLabs
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:11
                                                          Start time:02:59:06
                                                          Start date:21/11/2024
                                                          Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                          Imagebase:0x7ff605670000
                                                          File size:496'640 bytes
                                                          MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                          Has elevated privileges:true
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:12
                                                          Start time:02:59:08
                                                          Start date:21/11/2024
                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rjBdvmaV" /XML "C:\Users\user\AppData\Local\Temp\tmp5B67.tmp"
                                                          Imagebase:0x430000
                                                          File size:187'904 bytes
                                                          MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:13
                                                          Start time:02:59:08
                                                          Start date:21/11/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6ee680000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:14
                                                          Start time:02:59:08
                                                          Start date:21/11/2024
                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                          Imagebase:0x8e0000
                                                          File size:45'984 bytes
                                                          MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.3862783445.0000000002BDB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.3862783445.0000000002BDB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          Has exited:false

                                                          Disassembly

                                                          Reset < >

                                                            Execution Graph

                                                            Execution Coverage:9.3%
                                                            Dynamic/Decrypted Code Coverage:100%
                                                            Signature Coverage:1.3%
                                                            Total number of Nodes:320
                                                            Total number of Limit Nodes:13
                                                            execution_graph 44424 7a00f10 44425 7a0109b 44424->44425 44426 7a00f36 44424->44426 44426->44425 44429 7a01190 PostMessageW 44426->44429 44431 7a01188 44426->44431 44430 7a011fc 44429->44430 44430->44426 44432 7a01190 PostMessageW 44431->44432 44433 7a011fc 44432->44433 44433->44426 44325 5498068 44326 5498095 44325->44326 44339 5497bf8 44326->44339 44330 5498161 44331 5497bf8 GetModuleHandleW 44330->44331 44332 54981c5 44331->44332 44333 5497bf8 GetModuleHandleW 44332->44333 44334 54981f7 44333->44334 44335 5497bf8 GetModuleHandleW 44334->44335 44336 5498682 44335->44336 44337 5497bf8 GetModuleHandleW 44336->44337 44338 54986b4 44337->44338 44340 5497c03 44339->44340 44349 5497d98 44340->44349 44342 549812f 44343 5497c08 44342->44343 44344 5497c13 44343->44344 44411 5499ccc 44344->44411 44348 549a17d 44348->44330 44350 5497da3 44349->44350 44354 2de70d4 44350->44354 44361 2de8690 44350->44361 44351 54994d4 44351->44342 44355 2de70df 44354->44355 44357 2de8953 44355->44357 44368 2deb001 44355->44368 44356 2de8991 44356->44351 44357->44356 44372 2ded0e8 44357->44372 44378 2ded0f8 44357->44378 44362 2de86cb 44361->44362 44364 2de8953 44362->44364 44365 2deb001 GetModuleHandleW 44362->44365 44363 2de8991 44363->44351 44364->44363 44366 2ded0f8 GetModuleHandleW 44364->44366 44367 2ded0e8 GetModuleHandleW 44364->44367 44365->44364 44366->44363 44367->44363 44383 2deb038 44368->44383 44386 2deb027 44368->44386 44369 2deb016 44369->44357 44373 2ded06b 44372->44373 44375 2ded0f2 44372->44375 44373->44356 44374 2ded13d 44374->44356 44375->44374 44395 2ded2a8 44375->44395 44399 2ded297 44375->44399 44379 2ded119 44378->44379 44380 2ded13d 44379->44380 44381 2ded2a8 GetModuleHandleW 44379->44381 44382 2ded297 GetModuleHandleW 44379->44382 44380->44356 44381->44380 44382->44380 44390 2deb130 44383->44390 44384 2deb047 44384->44369 44387 2deb038 44386->44387 44389 2deb130 GetModuleHandleW 44387->44389 44388 2deb047 44388->44369 44389->44388 44391 2deb141 44390->44391 44392 2deb164 44390->44392 44391->44392 44393 2deb368 GetModuleHandleW 44391->44393 44392->44384 44394 2deb395 44393->44394 44394->44384 44396 2ded2b5 44395->44396 44397 2ded2ef 44396->44397 44403 2dece10 44396->44403 44397->44374 44400 2ded2a8 44399->44400 44401 2dece10 GetModuleHandleW 44400->44401 44402 2ded2ef 44400->44402 44401->44402 44402->44374 44404 2dece1b 44403->44404 44405 2dedc00 44404->44405 44407 2decf3c 44404->44407 44408 2decf47 44407->44408 44409 2de70d4 GetModuleHandleW 44408->44409 44410 2dedc6f 44409->44410 44410->44405 44412 5499cd7 44411->44412 44419 549d38c 44412->44419 44414 549a15c 44415 5499cdc 44414->44415 44416 5499ce7 44415->44416 44417 549d38c GetModuleHandleW 44416->44417 44418 549f5f5 44417->44418 44418->44348 44420 549d397 44419->44420 44422 2de70d4 GetModuleHandleW 44420->44422 44423 2de8690 GetModuleHandleW 44420->44423 44421 549edae 44421->44414 44422->44421 44423->44421 44434 169d01c 44435 169d034 44434->44435 44436 169d08e 44435->44436 44439 5492c08 44435->44439 44448 5490abc 44435->44448 44442 5492c45 44439->44442 44440 5492c79 44473 5490be4 44440->44473 44442->44440 44443 5492c69 44442->44443 44457 5492e6c 44443->44457 44463 5492da0 44443->44463 44468 5492d91 44443->44468 44444 5492c77 44449 5490ac7 44448->44449 44450 5492c79 44449->44450 44452 5492c69 44449->44452 44451 5490be4 CallWindowProcW 44450->44451 44453 5492c77 44451->44453 44454 5492e6c CallWindowProcW 44452->44454 44455 5492d91 CallWindowProcW 44452->44455 44456 5492da0 CallWindowProcW 44452->44456 44454->44453 44455->44453 44456->44453 44458 5492e2a 44457->44458 44459 5492e7a 44457->44459 44477 5492e58 44458->44477 44480 5492e47 44458->44480 44460 5492e40 44460->44444 44465 5492db4 44463->44465 44464 5492e40 44464->44444 44466 5492e58 CallWindowProcW 44465->44466 44467 5492e47 CallWindowProcW 44465->44467 44466->44464 44467->44464 44470 5492db4 44468->44470 44469 5492e40 44469->44444 44471 5492e58 CallWindowProcW 44470->44471 44472 5492e47 CallWindowProcW 44470->44472 44471->44469 44472->44469 44474 5490bef 44473->44474 44475 549435a CallWindowProcW 44474->44475 44476 5494309 44474->44476 44475->44476 44476->44444 44478 5492e69 44477->44478 44485 5494292 44477->44485 44478->44460 44481 5492e43 44480->44481 44482 5492e52 44480->44482 44481->44460 44483 5492e69 44482->44483 44484 5494292 CallWindowProcW 44482->44484 44483->44460 44484->44483 44486 5490be4 CallWindowProcW 44485->44486 44487 54942aa 44486->44487 44487->44478 44488 2de4668 44489 2de467a 44488->44489 44490 2de4686 44489->44490 44494 2de4778 44489->44494 44499 2de3e40 44490->44499 44492 2de46a5 44495 2de479d 44494->44495 44503 2de4888 44495->44503 44507 2de4879 44495->44507 44500 2de3e4b 44499->44500 44515 2de5e4c 44500->44515 44502 2de706f 44502->44492 44505 2de48af 44503->44505 44504 2de498c 44504->44504 44505->44504 44511 2de44c4 44505->44511 44509 2de4888 44507->44509 44508 2de498c 44508->44508 44509->44508 44510 2de44c4 CreateActCtxA 44509->44510 44510->44508 44512 2de5918 CreateActCtxA 44511->44512 44514 2de59cf 44512->44514 44516 2de5e57 44515->44516 44519 2de5e6c 44516->44519 44518 2de751d 44518->44502 44520 2de5e77 44519->44520 44523 2de70a4 44520->44523 44522 2de75fa 44522->44518 44524 2de70af 44523->44524 44525 2de70d4 GetModuleHandleW 44524->44525 44526 2de76ed 44525->44526 44526->44522 44117 77cd061 44118 77cd322 44117->44118 44119 77cd06b 44117->44119 44122 77cfc40 44119->44122 44141 77cfc30 44119->44141 44123 77cfc5a 44122->44123 44133 77cfc62 44123->44133 44160 7a00505 44123->44160 44166 7a00245 44123->44166 44174 7a00482 44123->44174 44180 7a00102 44123->44180 44185 7a00221 44123->44185 44193 7a008fe 44123->44193 44201 7a00416 44123->44201 44206 7a00714 44123->44206 44210 7a00171 44123->44210 44216 7a00390 44123->44216 44220 7a00310 44123->44220 44225 7a002af 44123->44225 44233 7a004cd 44123->44233 44238 7a0076b 44123->44238 44246 7a00a89 44123->44246 44250 7a00827 44123->44250 44133->44118 44142 77cfc5a 44141->44142 44143 7a00221 5 API calls 44142->44143 44144 7a00102 2 API calls 44142->44144 44145 7a00482 4 API calls 44142->44145 44146 7a00245 5 API calls 44142->44146 44147 7a00505 3 API calls 44142->44147 44148 7a00827 4 API calls 44142->44148 44149 7a00a89 3 API calls 44142->44149 44150 7a0076b 5 API calls 44142->44150 44151 7a004cd 2 API calls 44142->44151 44152 77cfc62 44142->44152 44153 7a002af 5 API calls 44142->44153 44154 7a00310 2 API calls 44142->44154 44155 7a00390 3 API calls 44142->44155 44156 7a00171 2 API calls 44142->44156 44157 7a00714 2 API calls 44142->44157 44158 7a00416 3 API calls 44142->44158 44159 7a008fe 5 API calls 44142->44159 44143->44152 44144->44152 44145->44152 44146->44152 44147->44152 44148->44152 44149->44152 44150->44152 44151->44152 44152->44118 44153->44152 44154->44152 44155->44152 44156->44152 44157->44152 44158->44152 44159->44152 44161 7a0050b 44160->44161 44256 77cca98 44161->44256 44260 77cca93 44161->44260 44264 77ccb70 44161->44264 44162 7a0052e 44167 7a00221 44166->44167 44168 7a0077f 44167->44168 44268 77cc9a8 44167->44268 44272 77cc9a0 44167->44272 44276 77cc3d8 44168->44276 44280 77cc3d3 44168->44280 44169 7a00aa8 44175 7a00488 44174->44175 44179 77cc3d3 2 API calls 44175->44179 44287 77cc328 44175->44287 44291 77cc327 44175->44291 44176 7a00428 44176->44133 44179->44176 44181 7a00104 44180->44181 44295 77ccc24 44181->44295 44299 77ccc30 44181->44299 44187 7a0022d 44185->44187 44186 7a0077f 44189 77cc3d8 Wow64SetThreadContext 44186->44189 44190 77cc3d3 2 API calls 44186->44190 44187->44185 44187->44186 44191 77cc9a8 WriteProcessMemory 44187->44191 44192 77cc9a0 WriteProcessMemory 44187->44192 44188 7a00aa8 44188->44188 44189->44188 44190->44188 44191->44187 44192->44187 44194 7a00221 44193->44194 44195 7a0077f 44194->44195 44197 77cc9a8 WriteProcessMemory 44194->44197 44198 77cc9a0 WriteProcessMemory 44194->44198 44199 77cc3d8 Wow64SetThreadContext 44195->44199 44200 77cc3d3 2 API calls 44195->44200 44196 7a00aa8 44197->44194 44198->44194 44199->44196 44200->44196 44202 7a0038f 44201->44202 44204 77cc3d8 Wow64SetThreadContext 44202->44204 44205 77cc3d3 2 API calls 44202->44205 44203 7a003aa 44203->44133 44203->44203 44204->44203 44205->44203 44303 77cc8e8 44206->44303 44307 77cc8e0 44206->44307 44207 7a00732 44212 7a00104 44210->44212 44211 7a00c80 44212->44211 44214 77ccc24 CreateProcessA 44212->44214 44215 77ccc30 CreateProcessA 44212->44215 44213 7a00202 44214->44213 44215->44213 44218 77cc3d8 Wow64SetThreadContext 44216->44218 44219 77cc3d3 2 API calls 44216->44219 44217 7a003aa 44217->44133 44217->44217 44218->44217 44219->44217 44221 7a00333 44220->44221 44223 77cc9a8 WriteProcessMemory 44221->44223 44224 77cc9a0 WriteProcessMemory 44221->44224 44222 7a00701 44222->44133 44223->44222 44224->44222 44226 7a00221 44225->44226 44226->44225 44227 7a0077f 44226->44227 44229 77cc9a8 WriteProcessMemory 44226->44229 44230 77cc9a0 WriteProcessMemory 44226->44230 44231 77cc3d8 Wow64SetThreadContext 44227->44231 44232 77cc3d3 2 API calls 44227->44232 44228 7a00aa8 44229->44226 44230->44226 44231->44228 44232->44228 44234 7a004d6 44233->44234 44236 77cc9a8 WriteProcessMemory 44234->44236 44237 77cc9a0 WriteProcessMemory 44234->44237 44235 7a00629 44236->44235 44237->44235 44241 7a00221 44238->44241 44239 7a0077f 44244 77cc3d8 Wow64SetThreadContext 44239->44244 44245 77cc3d3 2 API calls 44239->44245 44240 7a00aa8 44241->44239 44242 77cc9a8 WriteProcessMemory 44241->44242 44243 77cc9a0 WriteProcessMemory 44241->44243 44242->44241 44243->44241 44244->44240 44245->44240 44247 7a00aa8 44246->44247 44248 77cc3d8 Wow64SetThreadContext 44246->44248 44249 77cc3d3 2 API calls 44246->44249 44248->44247 44249->44247 44251 7a00499 44250->44251 44252 7a00428 44251->44252 44253 77cc328 ResumeThread 44251->44253 44254 77cc327 ResumeThread 44251->44254 44255 77cc3d3 2 API calls 44251->44255 44252->44133 44253->44252 44254->44252 44255->44252 44257 77ccae3 ReadProcessMemory 44256->44257 44259 77ccb27 44257->44259 44259->44162 44261 77ccae3 ReadProcessMemory 44260->44261 44263 77ccb27 44261->44263 44263->44162 44265 77ccaf8 ReadProcessMemory 44264->44265 44267 77ccb77 44264->44267 44266 77ccb27 44265->44266 44266->44162 44267->44162 44269 77cc9f0 WriteProcessMemory 44268->44269 44271 77cca47 44269->44271 44271->44167 44273 77cc9a8 WriteProcessMemory 44272->44273 44275 77cca47 44273->44275 44275->44167 44277 77cc41d Wow64SetThreadContext 44276->44277 44279 77cc465 44277->44279 44279->44169 44281 77cc358 ResumeThread 44280->44281 44283 77cc3d7 Wow64SetThreadContext 44280->44283 44285 77cc399 44281->44285 44286 77cc465 44283->44286 44285->44169 44286->44169 44288 77cc368 ResumeThread 44287->44288 44290 77cc399 44288->44290 44290->44176 44292 77cc328 ResumeThread 44291->44292 44294 77cc399 44292->44294 44294->44176 44296 77cccb9 CreateProcessA 44295->44296 44298 77cce7b 44296->44298 44298->44298 44300 77cccb9 CreateProcessA 44299->44300 44302 77cce7b 44300->44302 44302->44302 44304 77cc928 VirtualAllocEx 44303->44304 44306 77cc965 44304->44306 44306->44207 44308 77cc8e8 VirtualAllocEx 44307->44308 44310 77cc965 44308->44310 44310->44207 44311 2ded3c0 44312 2ded406 44311->44312 44316 2ded590 44312->44316 44319 2ded5a0 44312->44319 44313 2ded4f3 44322 2deced8 44316->44322 44320 2ded5ce 44319->44320 44321 2deced8 DuplicateHandle 44319->44321 44320->44313 44321->44320 44323 2ded608 DuplicateHandle 44322->44323 44324 2ded5ce 44323->44324 44324->44313

                                                            Executed Functions

                                                            Function 07A01EF8 Relevance: .6, Instructions: 626COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1458084558.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7a00000_datasheet.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3cdd285479656565e2b71fef6f17afe4d22e97ad43451912e90ef5a086b80044
                                                            • Instruction ID: 0450f05e27dc0e476da5a5dfcf849d1139a81eab19d90c613dc9e90447c0adb3
                                                            • Opcode Fuzzy Hash: 3cdd285479656565e2b71fef6f17afe4d22e97ad43451912e90ef5a086b80044
                                                            • Instruction Fuzzy Hash: 8E32ABB0B013059FDB19EBA5D564BAEB7F6AF89300F104869E5569B3E0CB35DC01CBA1
                                                            Function 05497C08 Relevance: .6, Instructions: 592COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1456099283.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_5490000_datasheet.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4bba43b4ad5e5ab4f73d93c125b005b39db55c85d7e79f337f6b15aa03ee53b3
                                                            • Instruction ID: e1bf00a5a477cd0fdfbc5c9d5a868c0f1006472d8db5806a66d6cda410844cac
                                                            • Opcode Fuzzy Hash: 4bba43b4ad5e5ab4f73d93c125b005b39db55c85d7e79f337f6b15aa03ee53b3
                                                            • Instruction Fuzzy Hash: A8526A34A003558FDB14EF28C844B99B7B2FFC9314F2582A9D5596F3A1DB71A982CF81
                                                            Function 0549A0B1 Relevance: .6, Instructions: 577COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1456099283.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_5490000_datasheet.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7772b8ce0ad36100270275f9dfa8c6a6ba2aaf104c381da6e86990200c2c31cc
                                                            • Instruction ID: 6d6813bc58e9d2ad3adc05362a1ca666ccbc7a61fb70dec24c02b3bfb7a1c168
                                                            • Opcode Fuzzy Hash: 7772b8ce0ad36100270275f9dfa8c6a6ba2aaf104c381da6e86990200c2c31cc
                                                            • Instruction Fuzzy Hash: CD526B34A003568FDB14DF28C844BD9B7B2FF89314F2582A9D5596F3A1DB71A982CF81
                                                            Function 07A004EE Relevance: .0, Instructions: 8COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1458084558.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7a00000_datasheet.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: db974a79e389ec3fb6f4f2c9a42d2ec4ee571096b2c8207ce570b6dac2bd3c6c
                                                            • Instruction ID: 5eb20c47a32fa991e0317e2e552d6b664da1d5f7285a03ca52181ecc9b301923
                                                            • Opcode Fuzzy Hash: db974a79e389ec3fb6f4f2c9a42d2ec4ee571096b2c8207ce570b6dac2bd3c6c
                                                            • Instruction Fuzzy Hash: 74A002F0DAE408C490205E1431453F7C07C020F3C0F403D3CC07B338C25810C001008D
                                                            Function 077CC3D3 Relevance: 3.1, APIs: 2, Instructions: 101threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • ResumeThread.KERNELBASE ref: 077CC38A
                                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 077CC456
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1457864968.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_77c0000_datasheet.jbxd
                                                            Similarity
                                                            • API ID: Thread$ContextResumeWow64
                                                            • String ID:
                                                            • API String ID: 1826235168-0
                                                            • Opcode ID: c9a7d5f75e7a5344521fe54efbf57764f3f1888e0d93e9a4aa0488c28390675c
                                                            • Instruction ID: 45d51d3abea26c3ee8e79c201c225d6883fe866f0d6822d0a1983865f5b42001
                                                            • Opcode Fuzzy Hash: c9a7d5f75e7a5344521fe54efbf57764f3f1888e0d93e9a4aa0488c28390675c
                                                            • Instruction Fuzzy Hash: D13159B19003098FDB14DFAAD4457EEBBF5AF88324F14842ED519A7240CB789945CBA1
                                                            Function 077CCC24 Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 20 77ccc24-77cccc5 22 77cccfe-77ccd1e 20->22 23 77cccc7-77cccd1 20->23 28 77ccd57-77ccd86 22->28 29 77ccd20-77ccd2a 22->29 23->22 24 77cccd3-77cccd5 23->24 26 77cccf8-77cccfb 24->26 27 77cccd7-77ccce1 24->27 26->22 30 77ccce5-77cccf4 27->30 31 77ccce3 27->31 39 77ccdbf-77cce79 CreateProcessA 28->39 40 77ccd88-77ccd92 28->40 29->28 33 77ccd2c-77ccd2e 29->33 30->30 32 77cccf6 30->32 31->30 32->26 34 77ccd30-77ccd3a 33->34 35 77ccd51-77ccd54 33->35 37 77ccd3c 34->37 38 77ccd3e-77ccd4d 34->38 35->28 37->38 38->38 42 77ccd4f 38->42 51 77cce7b-77cce81 39->51 52 77cce82-77ccf08 39->52 40->39 41 77ccd94-77ccd96 40->41 43 77ccd98-77ccda2 41->43 44 77ccdb9-77ccdbc 41->44 42->35 46 77ccda4 43->46 47 77ccda6-77ccdb5 43->47 44->39 46->47 47->47 48 77ccdb7 47->48 48->44 51->52 62 77ccf18-77ccf1c 52->62 63 77ccf0a-77ccf0e 52->63 65 77ccf2c-77ccf30 62->65 66 77ccf1e-77ccf22 62->66 63->62 64 77ccf10 63->64 64->62 68 77ccf40-77ccf44 65->68 69 77ccf32-77ccf36 65->69 66->65 67 77ccf24 66->67 67->65 71 77ccf56-77ccf5d 68->71 72 77ccf46-77ccf4c 68->72 69->68 70 77ccf38 69->70 70->68 73 77ccf5f-77ccf6e 71->73 74 77ccf74 71->74 72->71 73->74 76 77ccf75 74->76 76->76
                                                            APIs
                                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 077CCE66
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1457864968.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_77c0000_datasheet.jbxd
                                                            Similarity
                                                            • API ID: CreateProcess
                                                            • String ID:
                                                            • API String ID: 963392458-0
                                                            • Opcode ID: 322ea27343a2704317555fdc61adab8a7d011863991715abacd754e7c7ac57fc
                                                            • Instruction ID: 79776c45788f3cd1d2450b9ca45a72eca5a8c82bc68cf5765921887f908d0c4d
                                                            • Opcode Fuzzy Hash: 322ea27343a2704317555fdc61adab8a7d011863991715abacd754e7c7ac57fc
                                                            • Instruction Fuzzy Hash: 5FA16BB1D0065ACFEB21DF68C840BDDBBB6BF49350F14856DE809A7280DB749985CFA1
                                                            Function 077CCC30 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 77 77ccc30-77cccc5 79 77cccfe-77ccd1e 77->79 80 77cccc7-77cccd1 77->80 85 77ccd57-77ccd86 79->85 86 77ccd20-77ccd2a 79->86 80->79 81 77cccd3-77cccd5 80->81 83 77cccf8-77cccfb 81->83 84 77cccd7-77ccce1 81->84 83->79 87 77ccce5-77cccf4 84->87 88 77ccce3 84->88 96 77ccdbf-77cce79 CreateProcessA 85->96 97 77ccd88-77ccd92 85->97 86->85 90 77ccd2c-77ccd2e 86->90 87->87 89 77cccf6 87->89 88->87 89->83 91 77ccd30-77ccd3a 90->91 92 77ccd51-77ccd54 90->92 94 77ccd3c 91->94 95 77ccd3e-77ccd4d 91->95 92->85 94->95 95->95 99 77ccd4f 95->99 108 77cce7b-77cce81 96->108 109 77cce82-77ccf08 96->109 97->96 98 77ccd94-77ccd96 97->98 100 77ccd98-77ccda2 98->100 101 77ccdb9-77ccdbc 98->101 99->92 103 77ccda4 100->103 104 77ccda6-77ccdb5 100->104 101->96 103->104 104->104 105 77ccdb7 104->105 105->101 108->109 119 77ccf18-77ccf1c 109->119 120 77ccf0a-77ccf0e 109->120 122 77ccf2c-77ccf30 119->122 123 77ccf1e-77ccf22 119->123 120->119 121 77ccf10 120->121 121->119 125 77ccf40-77ccf44 122->125 126 77ccf32-77ccf36 122->126 123->122 124 77ccf24 123->124 124->122 128 77ccf56-77ccf5d 125->128 129 77ccf46-77ccf4c 125->129 126->125 127 77ccf38 126->127 127->125 130 77ccf5f-77ccf6e 128->130 131 77ccf74 128->131 129->128 130->131 133 77ccf75 131->133 133->133
                                                            APIs
                                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 077CCE66
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1457864968.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_77c0000_datasheet.jbxd
                                                            Similarity
                                                            • API ID: CreateProcess
                                                            • String ID:
                                                            • API String ID: 963392458-0
                                                            • Opcode ID: df6bc0724342b5fff06952930d0de61f1128c22803d5f2d2948146f339576f1c
                                                            • Instruction ID: 2e9e01ac198810b3c826913161272a027a8463c2a79fdb402c130e6a76c8b464
                                                            • Opcode Fuzzy Hash: df6bc0724342b5fff06952930d0de61f1128c22803d5f2d2948146f339576f1c
                                                            • Instruction Fuzzy Hash: 55915AB1D0061ACFEB21DF68C850BDDBBB6BF49350F14856DE809A7280DB749985CFA1
                                                            Function 02DEB130 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 134 2deb130-2deb13f 135 2deb16b-2deb16f 134->135 136 2deb141-2deb14e call 2deaaf4 134->136 137 2deb183-2deb1c4 135->137 138 2deb171-2deb17b 135->138 143 2deb164 136->143 144 2deb150 136->144 145 2deb1c6-2deb1ce 137->145 146 2deb1d1-2deb1df 137->146 138->137 143->135 189 2deb156 call 2deb3ba 144->189 190 2deb156 call 2deb3c8 144->190 145->146 148 2deb203-2deb205 146->148 149 2deb1e1-2deb1e6 146->149 147 2deb15c-2deb15e 147->143 150 2deb2a0-2deb360 147->150 151 2deb208-2deb20f 148->151 152 2deb1e8-2deb1ef call 2deab00 149->152 153 2deb1f1 149->153 184 2deb368-2deb393 GetModuleHandleW 150->184 185 2deb362-2deb365 150->185 155 2deb21c-2deb223 151->155 156 2deb211-2deb219 151->156 154 2deb1f3-2deb201 152->154 153->154 154->151 159 2deb225-2deb22d 155->159 160 2deb230-2deb239 call 2deab10 155->160 156->155 159->160 165 2deb23b-2deb243 160->165 166 2deb246-2deb24b 160->166 165->166 167 2deb24d-2deb254 166->167 168 2deb269-2deb276 166->168 167->168 170 2deb256-2deb266 call 2deab20 call 2deab30 167->170 175 2deb278-2deb296 168->175 176 2deb299-2deb29f 168->176 170->168 175->176 186 2deb39c-2deb3b0 184->186 187 2deb395-2deb39b 184->187 185->184 187->186 189->147 190->147
                                                            APIs
                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 02DEB386
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1448594444.0000000002DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2de0000_datasheet.jbxd
                                                            Similarity
                                                            • API ID: HandleModule
                                                            • String ID:
                                                            • API String ID: 4139908857-0
                                                            • Opcode ID: 96d3c409bc6755d77853aacb914e941f3ab8d497ec0cf05b325c89dd23b27e34
                                                            • Instruction ID: c9181c31665d927b235b8c8748952cc751de1837e01032ac65c146637b2245d7
                                                            • Opcode Fuzzy Hash: 96d3c409bc6755d77853aacb914e941f3ab8d497ec0cf05b325c89dd23b27e34
                                                            • Instruction Fuzzy Hash: CA712470A00B058FDB24EF6AD55575ABBF2FF88604F008A2ED48AD7B50DB74E845CB91
                                                            Function 02DE590D Relevance: 1.6, APIs: 1, Instructions: 122COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 191 2de590d-2de5914 192 2de5916-2de59d9 CreateActCtxA 191->192 193 2de58b1-2de58d9 191->193 198 2de59db-2de59e1 192->198 199 2de59e2-2de5a3c 192->199 196 2de58db-2de58e1 193->196 197 2de58e2-2de5903 193->197 196->197 198->199 207 2de5a3e-2de5a41 199->207 208 2de5a4b-2de5a4f 199->208 207->208 209 2de5a60-2de5a90 208->209 210 2de5a51-2de5a5d 208->210 214 2de5a42-2de5a4a 209->214 215 2de5a92-2de5b14 209->215 210->209 214->208 218 2de59cf-2de59d9 214->218 218->198 218->199
                                                            APIs
                                                            • CreateActCtxA.KERNEL32(?), ref: 02DE59C9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1448594444.0000000002DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2de0000_datasheet.jbxd
                                                            Similarity
                                                            • API ID: Create
                                                            • String ID:
                                                            • API String ID: 2289755597-0
                                                            • Opcode ID: fa3e277520984e36ee81c6c9cb2b385741fd0338ad4c04e99a671ae7bfcb0ddb
                                                            • Instruction ID: eed9b9569a96be4fba255ce2f5e3074fc35a579a09572d52efd2bfe7f8d2674b
                                                            • Opcode Fuzzy Hash: fa3e277520984e36ee81c6c9cb2b385741fd0338ad4c04e99a671ae7bfcb0ddb
                                                            • Instruction Fuzzy Hash: 325101B1C00719CFEB24DFA9D8847DEBBF5AF48318F60806AD409AB251D775A94ACF50
                                                            Function 05490BE4 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 219 5490be4-54942fc 222 54943ac-54943cc call 5490abc 219->222 223 5494302-5494307 219->223 230 54943cf-54943dc 222->230 225 5494309-5494340 223->225 226 549435a-5494392 CallWindowProcW 223->226 232 5494349-5494358 225->232 233 5494342-5494348 225->233 228 549439b-54943aa 226->228 229 5494394-549439a 226->229 228->230 229->228 232->230 233->232
                                                            APIs
                                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 05494381
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1456099283.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_5490000_datasheet.jbxd
                                                            Similarity
                                                            • API ID: CallProcWindow
                                                            • String ID:
                                                            • API String ID: 2714655100-0
                                                            • Opcode ID: d9298e9c73c26aa20ace33f073397c64b1f6d6d0ce968ce4794e1aa85e8b639b
                                                            • Instruction ID: e520f11b9cd591be486fae24a8f74f2d09444a1b6158c258cad27bc31b050a8a
                                                            • Opcode Fuzzy Hash: d9298e9c73c26aa20ace33f073397c64b1f6d6d0ce968ce4794e1aa85e8b639b
                                                            • Instruction Fuzzy Hash: B5412B75A003098FDB18DF99C489AEAFBF5FB88314F14845AD419A7361D774A841CFA0
                                                            Function 02DE44C4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 236 2de44c4-2de59d9 CreateActCtxA 239 2de59db-2de59e1 236->239 240 2de59e2-2de5a3c 236->240 239->240 247 2de5a3e-2de5a41 240->247 248 2de5a4b-2de5a4f 240->248 247->248 249 2de5a60-2de5a90 248->249 250 2de5a51-2de5a5d 248->250 254 2de5a42-2de5a4a 249->254 255 2de5a92-2de5b14 249->255 250->249 254->248 258 2de59cf-2de59d9 254->258 258->239 258->240
                                                            APIs
                                                            • CreateActCtxA.KERNEL32(?), ref: 02DE59C9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1448594444.0000000002DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2de0000_datasheet.jbxd
                                                            Similarity
                                                            • API ID: Create
                                                            • String ID:
                                                            • API String ID: 2289755597-0
                                                            • Opcode ID: 6f55076659eecdbeda95fc2d158a3a7997fd154bac8300c852ee58caac4b0e0f
                                                            • Instruction ID: 1ef350932d6c68eea33a22a372f7a030d5824f89afabcd613f6a5d63124257a6
                                                            • Opcode Fuzzy Hash: 6f55076659eecdbeda95fc2d158a3a7997fd154bac8300c852ee58caac4b0e0f
                                                            • Instruction Fuzzy Hash: 7841E171C00719CFDB24DFA9C8847CEBBB5BF88704F60806AD409AB251DB756946CF90
                                                            Function 077CCB70 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 259 77ccb70-77ccb75 260 77ccaf8-77ccb25 ReadProcessMemory 259->260 261 77ccb77-77ccbea 259->261 262 77ccb2e-77ccb5e 260->262 263 77ccb27-77ccb2d 260->263 271 77ccbec-77ccbf2 261->271 272 77ccbf3-77ccc18 261->272 263->262 271->272
                                                            APIs
                                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 077CCB18
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1457864968.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_77c0000_datasheet.jbxd
                                                            Similarity
                                                            • API ID: MemoryProcessRead
                                                            • String ID:
                                                            • API String ID: 1726664587-0
                                                            • Opcode ID: 3151d38bdd90e63cf94162e77cfa25e909526133d613dd7ceb99f212a47a2a35
                                                            • Instruction ID: 66f9e8e79291fb7af2235c57addc08dcc1c812f2a48785813ba9a4220232572d
                                                            • Opcode Fuzzy Hash: 3151d38bdd90e63cf94162e77cfa25e909526133d613dd7ceb99f212a47a2a35
                                                            • Instruction Fuzzy Hash: A53169B68003498FDB10DFAAD8457DEFBF9EF88320F14881ED559A7250CB799554CBA0
                                                            Function 077CC9A0 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 276 77cc9a0-77cc9f6 279 77cc9f8-77cca04 276->279 280 77cca06-77cca45 WriteProcessMemory 276->280 279->280 282 77cca4e-77cca7e 280->282 283 77cca47-77cca4d 280->283 283->282
                                                            APIs
                                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 077CCA38
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1457864968.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_77c0000_datasheet.jbxd
                                                            Similarity
                                                            • API ID: MemoryProcessWrite
                                                            • String ID:
                                                            • API String ID: 3559483778-0
                                                            • Opcode ID: 4c68438e3bb75569a82d56ac5ea091f804769137827997358b6fbcb75de22f48
                                                            • Instruction ID: 2e6582b3e73bc54c57459dbcffc6d53b403adda5eee3bff5bc1e069b3242181b
                                                            • Opcode Fuzzy Hash: 4c68438e3bb75569a82d56ac5ea091f804769137827997358b6fbcb75de22f48
                                                            • Instruction Fuzzy Hash: 822177B19003499FDB10CFAAC885BDEBBF5FF48310F14882EE959A7240C7789944CBA4
                                                            Function 077CC9A8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 287 77cc9a8-77cc9f6 289 77cc9f8-77cca04 287->289 290 77cca06-77cca45 WriteProcessMemory 287->290 289->290 292 77cca4e-77cca7e 290->292 293 77cca47-77cca4d 290->293 293->292
                                                            APIs
                                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 077CCA38
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1457864968.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_77c0000_datasheet.jbxd
                                                            Similarity
                                                            • API ID: MemoryProcessWrite
                                                            • String ID:
                                                            • API String ID: 3559483778-0
                                                            • Opcode ID: 650a69e92b47696d44dc6a200f86e8af13163aa40e0a691c21c498f204c2632c
                                                            • Instruction ID: af4215c25e521900c6d83bd4fec30a799bc48a3a4c13ceaa493de3de0373c8b0
                                                            • Opcode Fuzzy Hash: 650a69e92b47696d44dc6a200f86e8af13163aa40e0a691c21c498f204c2632c
                                                            • Instruction Fuzzy Hash: 532125B59003599FDB10DFAAC885BDEBBF5FF48310F14882EE919A7240D7789944CBA4
                                                            Function 02DECED8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 297 2deced8-2ded69c DuplicateHandle 299 2ded69e-2ded6a4 297->299 300 2ded6a5-2ded6c2 297->300 299->300
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02DED5CE,?,?,?,?,?), ref: 02DED68F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1448594444.0000000002DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2de0000_datasheet.jbxd
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: 35d36978d344b2cbeef2808fe8787c937eb81273cb19fbc31ec9040a5a262210
                                                            • Instruction ID: 02115b6b7f4c202ff69890f92df7b4ae937ca63f9b0332746aa390a3dcf0df4a
                                                            • Opcode Fuzzy Hash: 35d36978d344b2cbeef2808fe8787c937eb81273cb19fbc31ec9040a5a262210
                                                            • Instruction Fuzzy Hash: 9A2114B590034C9FDB10DFAAD884ADEBBF9FB48310F10841AE959A3350D378A950CFA4
                                                            Function 077CC3D8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 308 77cc3d8-77cc423 310 77cc425-77cc431 308->310 311 77cc433-77cc463 Wow64SetThreadContext 308->311 310->311 313 77cc46c-77cc49c 311->313 314 77cc465-77cc46b 311->314 314->313
                                                            APIs
                                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 077CC456
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1457864968.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_77c0000_datasheet.jbxd
                                                            Similarity
                                                            • API ID: ContextThreadWow64
                                                            • String ID:
                                                            • API String ID: 983334009-0
                                                            • Opcode ID: 19ff3699d2302d9c2f0dda341ff8798dee7999145f80e8111717dcb1d2eb8fe3
                                                            • Instruction ID: 594b18c7bd42438735bc0f40a449380b789f2e6b2e924f62058c649143cc4e5d
                                                            • Opcode Fuzzy Hash: 19ff3699d2302d9c2f0dda341ff8798dee7999145f80e8111717dcb1d2eb8fe3
                                                            • Instruction Fuzzy Hash: 452135B1D003098FDB10DFAAC4857AEBBF5EF88360F54842ED519A7240CB789A45CFA4
                                                            Function 077CCA98 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 327 77cca98-77ccb25 ReadProcessMemory 331 77ccb2e-77ccb5e 327->331 332 77ccb27-77ccb2d 327->332 332->331
                                                            APIs
                                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 077CCB18
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1457864968.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_77c0000_datasheet.jbxd
                                                            Similarity
                                                            • API ID: MemoryProcessRead
                                                            • String ID:
                                                            • API String ID: 1726664587-0
                                                            • Opcode ID: 395682f96829168f263cba93da71452800bd8c1ff14138d2f6ed83ba2cd48c0a
                                                            • Instruction ID: a39c789a82a91cf7c0059611d877883fb38ac1bdc2fbb792605de344261d6274
                                                            • Opcode Fuzzy Hash: 395682f96829168f263cba93da71452800bd8c1ff14138d2f6ed83ba2cd48c0a
                                                            • Instruction Fuzzy Hash: FA2128B18003499FDB10DFAAC880BDEBBF5FF48310F50842EE519A7240C7789544DBA4
                                                            Function 077CCA93 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 318 77cca93-77ccb25 ReadProcessMemory 322 77ccb2e-77ccb5e 318->322 323 77ccb27-77ccb2d 318->323 323->322
                                                            APIs
                                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 077CCB18
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1457864968.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_77c0000_datasheet.jbxd
                                                            Similarity
                                                            • API ID: MemoryProcessRead
                                                            • String ID:
                                                            • API String ID: 1726664587-0
                                                            • Opcode ID: 4526f62c3fa8668be348eac7ef8bb7bf33d28cce31e34f1ed113104330aa6f28
                                                            • Instruction ID: 772ca32fe63b0eaeb09eccab07e76d809bea3da2305cc493f50394e08cbf41bf
                                                            • Opcode Fuzzy Hash: 4526f62c3fa8668be348eac7ef8bb7bf33d28cce31e34f1ed113104330aa6f28
                                                            • Instruction Fuzzy Hash: 4A2105B58003599FDB10DFAAC880BEEBBF5FF48310F10882AE519A7240D77895459BA0
                                                            Function 02DED600 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 303 2ded600-2ded69c DuplicateHandle 304 2ded69e-2ded6a4 303->304 305 2ded6a5-2ded6c2 303->305 304->305
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02DED5CE,?,?,?,?,?), ref: 02DED68F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1448594444.0000000002DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2de0000_datasheet.jbxd
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: 85680163acaacf9664228d16c823c82fad05ed81c386e0d9c8f37370524c959b
                                                            • Instruction ID: 087d9b772b8526e0a14e6d5bcda0836660b733ec650d5daed5c3765996c92aa6
                                                            • Opcode Fuzzy Hash: 85680163acaacf9664228d16c823c82fad05ed81c386e0d9c8f37370524c959b
                                                            • Instruction Fuzzy Hash: 922114B5D002489FDB10CFAAD584BDEBBF9FB48320F24841AE958A3350D378A944CF60
                                                            Function 077CC8E0 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 077CC956
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1457864968.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_77c0000_datasheet.jbxd
                                                            Similarity
                                                            • API ID: AllocVirtual
                                                            • String ID:
                                                            • API String ID: 4275171209-0
                                                            • Opcode ID: c2fd63ac7f36264626c83b49f65b24e7505d35cf3a432faeba3cbf6aa3570f0a
                                                            • Instruction ID: 3e1d1078e4dab991db241e83c3c65b2f33e3280b0af75086fe3c946f7b72f864
                                                            • Opcode Fuzzy Hash: c2fd63ac7f36264626c83b49f65b24e7505d35cf3a432faeba3cbf6aa3570f0a
                                                            • Instruction Fuzzy Hash: 1A1167728003499FDB10DFAAD844BEEBFF5AF88320F10881EE559A7650CB759540CBA0
                                                            Function 077CC8E8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 077CC956
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1457864968.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_77c0000_datasheet.jbxd
                                                            Similarity
                                                            • API ID: AllocVirtual
                                                            • String ID:
                                                            • API String ID: 4275171209-0
                                                            • Opcode ID: 76e99540716eedf5c374fc0dca8228ca9f6bdbe868eeea9b2264d930f88be11e
                                                            • Instruction ID: 2619c7737999eab9dbdb1cc3841297f3b99844bb6386ef77406fd0bd8beeed3f
                                                            • Opcode Fuzzy Hash: 76e99540716eedf5c374fc0dca8228ca9f6bdbe868eeea9b2264d930f88be11e
                                                            • Instruction Fuzzy Hash: 8D1137758003499FDB10DFAAC844BEEBBF5EF88720F14881DE519A7250C7759544CFA4
                                                            Function 077CC327 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1457864968.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_77c0000_datasheet.jbxd
                                                            Similarity
                                                            • API ID: ResumeThread
                                                            • String ID:
                                                            • API String ID: 947044025-0
                                                            • Opcode ID: 93c326aa0fdf3aee2f017b822fb07c6f5ee7765f7f4fec09d33e0fc46f444803
                                                            • Instruction ID: a415b5d7dcc9f277c443929283b284bab5885f22d96ddbfde432e59b7f060ac0
                                                            • Opcode Fuzzy Hash: 93c326aa0fdf3aee2f017b822fb07c6f5ee7765f7f4fec09d33e0fc46f444803
                                                            • Instruction Fuzzy Hash: FC1158B1C003498FDB20DFAAD4457DEFBF4AB88320F14881ED419A7240CB796544CBA5
                                                            Function 077CC328 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1457864968.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_77c0000_datasheet.jbxd
                                                            Similarity
                                                            • API ID: ResumeThread
                                                            • String ID:
                                                            • API String ID: 947044025-0
                                                            • Opcode ID: 166fc8f39d47db620bb7ab9c930f093c8681e3c591f38c19a89171bb3bb22f78
                                                            • Instruction ID: dd8ca986be597753ab8136bc384447ec899cfdcec7206f51b605849b4b33cddd
                                                            • Opcode Fuzzy Hash: 166fc8f39d47db620bb7ab9c930f093c8681e3c591f38c19a89171bb3bb22f78
                                                            • Instruction Fuzzy Hash: C01128B1D003498FDB10DFAAD44579EFBF5AB88720F14881ED519A7240CB796544CBA5
                                                            Function 07A01188 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PostMessageW.USER32(?,?,?,?), ref: 07A011ED
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1458084558.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7a00000_datasheet.jbxd
                                                            Similarity
                                                            • API ID: MessagePost
                                                            • String ID:
                                                            • API String ID: 410705778-0
                                                            • Opcode ID: 6c745d642b53ddb4eb518244550ca5b4ed159fead77d24b4a94fe03e00846651
                                                            • Instruction ID: 35956864f96a8279b91ad8f067ffdcc4f7703ea7579605c7c9825297146304af
                                                            • Opcode Fuzzy Hash: 6c745d642b53ddb4eb518244550ca5b4ed159fead77d24b4a94fe03e00846651
                                                            • Instruction Fuzzy Hash: 6F1102B5800349DFDB10DF9AD844BDEBFF8EB48320F10841AD454A7641C375A584CFA1
                                                            Function 02DEB320 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 02DEB386
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1448594444.0000000002DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2de0000_datasheet.jbxd
                                                            Similarity
                                                            • API ID: HandleModule
                                                            • String ID:
                                                            • API String ID: 4139908857-0
                                                            • Opcode ID: 5f74632bfaf131097902a11f6a1a80e19f538a372b9fad99aeeb0e647f6d9385
                                                            • Instruction ID: 4f1e70e6968911915c764fe21d2740b2754a70f7d6703d6f9d72fab7a8af7575
                                                            • Opcode Fuzzy Hash: 5f74632bfaf131097902a11f6a1a80e19f538a372b9fad99aeeb0e647f6d9385
                                                            • Instruction Fuzzy Hash: 1F110FB6C007498FDB10DF9AD444A9EFBF4BB88224F10841AD459A7710C379A945CFA1
                                                            Function 07A01190 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PostMessageW.USER32(?,?,?,?), ref: 07A011ED
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1458084558.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7a00000_datasheet.jbxd
                                                            Similarity
                                                            • API ID: MessagePost
                                                            • String ID:
                                                            • API String ID: 410705778-0
                                                            • Opcode ID: 8bc45b603959b69274550a50e760dc4a66f75bc297caa761dffbc967075a16f1
                                                            • Instruction ID: e75cf0fdb2ef6a70fc6bde5cb35a7651ee72e45d354705a823e4bfbcd57d639c
                                                            • Opcode Fuzzy Hash: 8bc45b603959b69274550a50e760dc4a66f75bc297caa761dffbc967075a16f1
                                                            • Instruction Fuzzy Hash: EE11D3B5800349DFDB10DF9AD885BDEBBF8FB48320F10841AD518A7650D375A544CFA5
                                                            Function 0168D3D8 Relevance: .1, Instructions: 75COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1448109750.000000000168D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0168D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_168d000_datasheet.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 756e392da2b8b71d9c5ca2364636b7ec21acf348cb625f5a12bebfa07b94cb4d
                                                            • Instruction ID: aecf4dd7ca131b382bc88c018366139b0d93313143cc038bda0bc94c03126072
                                                            • Opcode Fuzzy Hash: 756e392da2b8b71d9c5ca2364636b7ec21acf348cb625f5a12bebfa07b94cb4d
                                                            • Instruction Fuzzy Hash: 3C21F475504204DFDB05EF58D9C4B56BB65FB88324F20C269D9090B396C376E456CAB2
                                                            Function 0168D110 Relevance: .1, Instructions: 75COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1448109750.000000000168D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0168D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_168d000_datasheet.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 84aa0f20d83f832f0403d399793bdee97c1e0318a1d8fb25bd2d0e7af94fd500
                                                            • Instruction ID: 700909e3f9dba6162e866292b517124d735f0d3bcb5a4e054b0f3141a570e7c3
                                                            • Opcode Fuzzy Hash: 84aa0f20d83f832f0403d399793bdee97c1e0318a1d8fb25bd2d0e7af94fd500
                                                            • Instruction Fuzzy Hash: 6421F171604204DFDB05EF54DD80B16BF66FF88326F208269E9490A386C336D456CBB2
                                                            Function 0169D01C Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1448217300.000000000169D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0169D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_169d000_datasheet.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e47453bde548a377625b5b6749cbb0546703f3ef7359e7fcbd02bca8577f6ede
                                                            • Instruction ID: f317750e0d5d2c6b184ae5e5daa0cb3d2001dc8217bf56611765860faadec407
                                                            • Opcode Fuzzy Hash: e47453bde548a377625b5b6749cbb0546703f3ef7359e7fcbd02bca8577f6ede
                                                            • Instruction Fuzzy Hash: BE21D075604304DFDF15DF64D984B26BB69FB84264F20C57DD84A4B386C33AD447CA62
                                                            Function 0169D1D4 Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1448217300.000000000169D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0169D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_169d000_datasheet.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 34f79e3b0c05a80fd0b838895c76c077630f13c86c7bf99e5faddf62f1b3d92c
                                                            • Instruction ID: 3e3dc11fc62d61f9df50a8e5c3ba36a4406d486a946fd565fc7418e1d59ba829
                                                            • Opcode Fuzzy Hash: 34f79e3b0c05a80fd0b838895c76c077630f13c86c7bf99e5faddf62f1b3d92c
                                                            • Instruction Fuzzy Hash: 1621D0B5604304AFDF05DF94D984B26BBA9FB84224F20C6BDEA494B396C336D446CA61
                                                            Function 0169D006 Relevance: .1, Instructions: 61COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1448217300.000000000169D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0169D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_169d000_datasheet.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8e9c366e9b0dfbe549bf6f4ab6b096bfabd6ea1ddac148f37298c9f78ab1d826
                                                            • Instruction ID: 090ea09ea4ca249516e170883f32d6273b435f8c8de3cf877bdf354215934b7a
                                                            • Opcode Fuzzy Hash: 8e9c366e9b0dfbe549bf6f4ab6b096bfabd6ea1ddac148f37298c9f78ab1d826
                                                            • Instruction Fuzzy Hash: 77219F755083809FDB02CF64D994B11BFB5FB46314F24C5EAD8498F2A7C33A9806CB62
                                                            Function 0168D10B Relevance: .1, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1448109750.000000000168D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0168D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_168d000_datasheet.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                                            • Instruction ID: a5c5c80193b503b4fa9f73157f2b71e54361e4cb2f8cacd601595d1840286338
                                                            • Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                                            • Instruction Fuzzy Hash: 6011DC76504280CFCB02DF44D9C0B16BF72FB84325F2482A9D8490B797C33AD45ACBA2
                                                            Function 0168D3D3 Relevance: .1, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1448109750.000000000168D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0168D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_168d000_datasheet.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                                            • Instruction ID: 3a44e2c81f31dd3a1677dbc4bcc540410c8f1504caf4c6242355659a1ce91bbb
                                                            • Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                                            • Instruction Fuzzy Hash: 8E11DF76504240DFCB02DF48D9C0B56BF72FB84324F24C2A9D8090B297C33AE45ACBA1
                                                            Function 0169D1CF Relevance: .1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1448217300.000000000169D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0169D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_169d000_datasheet.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                                            • Instruction ID: b5c9c5743e5b6f720b41345647da201a8e26b2e049ef2267763f6d290f7638a9
                                                            • Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                                            • Instruction Fuzzy Hash: 0311BB75504280DFCB02CF54C9C0B15BBA2FB84224F24C6ADD9494B396C33AD40ACB61
                                                            Function 0168D759 Relevance: .0, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1448109750.000000000168D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0168D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_168d000_datasheet.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8456523add268b367bbe69f51969371d728dcaadf01cae50af152ce9769bb32b
                                                            • Instruction ID: 6cef50f2b6c9789a61aa4457f9ed44c8941bb893421cf06b8343557bbe716f2c
                                                            • Opcode Fuzzy Hash: 8456523add268b367bbe69f51969371d728dcaadf01cae50af152ce9769bb32b
                                                            • Instruction Fuzzy Hash: ED01F271004384AAE7207AA5CC84B76BF98EF41625F18C61AED090A2C2C3789840CAB2
                                                            Function 0168D758 Relevance: .0, Instructions: 36COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1448109750.000000000168D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0168D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_168d000_datasheet.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4c2f9a0f3b399abf26d4d5cd2e65214efd8a175b814a67781b387b66642eb366
                                                            • Instruction ID: a13fa3c86f09e4826d8b9907e205b6e0b0ae2bb3e5d06fe2d71a74f061ed8119
                                                            • Opcode Fuzzy Hash: 4c2f9a0f3b399abf26d4d5cd2e65214efd8a175b814a67781b387b66642eb366
                                                            • Instruction Fuzzy Hash: 09F062714043849EE7109E1ADC84B62FFA8EF45635F18C55AED084B3C7C379A844CAB1

                                                            Non-executed Functions

                                                            Function 05490040 Relevance: .3, Instructions: 315COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1456099283.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_5490000_datasheet.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e3e6fd99ed2a3010c1f94bff5f6a1f18fdac1c318b7fccc6df05c8277f47b8eb
                                                            • Instruction ID: 3f1c79d42fa0db0cc53f6bf5a992c94acedd3db83494a4b43c37ecce770f28ef
                                                            • Opcode Fuzzy Hash: e3e6fd99ed2a3010c1f94bff5f6a1f18fdac1c318b7fccc6df05c8277f47b8eb
                                                            • Instruction Fuzzy Hash: B61287B2CE1765CBD718CF66E84C19A3BB1B786324FD04A09D2612B2E1D7B411EACF44
                                                            Function 077CA428 Relevance: .3, Instructions: 312COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1457864968.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_77c0000_datasheet.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 88e99420b8999750c76d0417400ca04502cc687f73de046082699bc476256851
                                                            • Instruction ID: 302993c39856deda642be2bab9dab42c717dccca1893ff1622f05ae74fe0d3d1
                                                            • Opcode Fuzzy Hash: 88e99420b8999750c76d0417400ca04502cc687f73de046082699bc476256851
                                                            • Instruction Fuzzy Hash: 7AE1F9B4E002198FDB14DFA8D590AAEFBB2FF89345F24C169E415AB355D730A942CF60
                                                            Function 077CC4B0 Relevance: .3, Instructions: 312COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1457864968.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_77c0000_datasheet.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0070b116e79c53397ca4765d70d68314dc717b5ba7979ffa25d132c5135d00a1
                                                            • Instruction ID: e5be41dcbb99a0fbbd885fe04c9efb3ba6ef73af389934167d978b9a47d57f43
                                                            • Opcode Fuzzy Hash: 0070b116e79c53397ca4765d70d68314dc717b5ba7979ffa25d132c5135d00a1
                                                            • Instruction Fuzzy Hash: 76E10CB4E002198FDB14DFA9C590AAEFBF2FF89345F248169D419AB355D730A942CF60
                                                            Function 077C9FF0 Relevance: .3, Instructions: 312COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1457864968.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_77c0000_datasheet.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1c6202a23078ddcc6d0472ac1d23b31c66b8e27a9ad9f51bf629a44310633d5f
                                                            • Instruction ID: 08031fd0ba0656c846d4bfd7a9180fbe5d0231adcf77a19eccbe1d0ad9563b87
                                                            • Opcode Fuzzy Hash: 1c6202a23078ddcc6d0472ac1d23b31c66b8e27a9ad9f51bf629a44310633d5f
                                                            • Instruction Fuzzy Hash: 64E109B4E002198FDB14DFA8C590AAEFBB2FF89345F24C169D415AB355DB31A942CF60
                                                            Function 077CBB00 Relevance: .3, Instructions: 312COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1457864968.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_77c0000_datasheet.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 189ec195114170841d809f05b9f361faeaea51465e860cd8040a821218f974ad
                                                            • Instruction ID: 23445a9c09c462cc7b45b2eb888ee790a9780da310a5cdbf51f63dde59a1f2f8
                                                            • Opcode Fuzzy Hash: 189ec195114170841d809f05b9f361faeaea51465e860cd8040a821218f974ad
                                                            • Instruction Fuzzy Hash: E9E12DB4E002198FDB14DFA9C581AAEFBB2FF89345F248159E415A7356DB30A941CF60
                                                            Function 077CA860 Relevance: .3, Instructions: 312COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1457864968.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_77c0000_datasheet.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a55e4ebe29920ac50e21d1cdeda7b04e2a560798c383ad0c886b106af0d403ba
                                                            • Instruction ID: 720d3b26ab72eb80c7e507aad52d74753629c548e3ec26086caf4d9c6bfdf1ec
                                                            • Opcode Fuzzy Hash: a55e4ebe29920ac50e21d1cdeda7b04e2a560798c383ad0c886b106af0d403ba
                                                            • Instruction Fuzzy Hash: 47E11AB4E002198FDB14DFA8C580AAEFBB2FF89345F24C169D415AB356D730A942CF60
                                                            Function 07A03570 Relevance: .3, Instructions: 298COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1458084558.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7a00000_datasheet.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4fc5ea75276449ec5068adbca5c3fa2fe4a43cf054e7b592cd68fc5b79da6675
                                                            • Instruction ID: b8d4dd2f220224fee3fe638baa719dae36c2e74ee74a692248ee37324a795d53
                                                            • Opcode Fuzzy Hash: 4fc5ea75276449ec5068adbca5c3fa2fe4a43cf054e7b592cd68fc5b79da6675
                                                            • Instruction Fuzzy Hash: 79D1D7B4A00605CFDB18DF69D598AA9B7F1BF8D701F2584A8E415EB3A1DB31AD40CF60
                                                            Function 077C16E8 Relevance: .3, Instructions: 267COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1457864968.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_77c0000_datasheet.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: de84bbf9d45c1ac6d46e460ac91d4d0c489d84c9a080ae607f75c63524065016
                                                            • Instruction ID: e21d1de5fd4951fdf6b7959485855702d41213761e9093d6cd045c8f34a354dd
                                                            • Opcode Fuzzy Hash: de84bbf9d45c1ac6d46e460ac91d4d0c489d84c9a080ae607f75c63524065016
                                                            • Instruction Fuzzy Hash: 03D1073192075ACACB00EB64D9906E9B7B1FF95200F60979AD5097B224FF70AAC5CF91
                                                            Function 077C16F8 Relevance: .3, Instructions: 264COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1457864968.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_77c0000_datasheet.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c4a6f55fb1afd9f562e904f4e13a4576b99538a3b0a505d3456817adbcd28685
                                                            • Instruction ID: 58dc126254f6285f44b250f5ce1d558ecedda9161141fb5535b3053972b09aca
                                                            • Opcode Fuzzy Hash: c4a6f55fb1afd9f562e904f4e13a4576b99538a3b0a505d3456817adbcd28685
                                                            • Instruction Fuzzy Hash: 27D1F83192075ACACB00EF64D9906E9B7B1FF95200F60D79AD5097B224EF70AAC5CF91
                                                            Function 02DEDF64 Relevance: .3, Instructions: 264COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1448594444.0000000002DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2de0000_datasheet.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c3b02d8a9430949962dd8e23bdc19798521b1516d95ab7562dcf21b568f3cd17
                                                            • Instruction ID: 700c0cb29c422411bd672f8078ecee14b9faa20d88c6e342a9dc1d0817e8ea6c
                                                            • Opcode Fuzzy Hash: c3b02d8a9430949962dd8e23bdc19798521b1516d95ab7562dcf21b568f3cd17
                                                            • Instruction Fuzzy Hash: 12A16A32E002198FCF19EFB5C88059EB7B6FF84304B25456AE802AB365DB71ED55CB90
                                                            Function 05490006 Relevance: .3, Instructions: 255COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1456099283.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_5490000_datasheet.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9b633e5f1467d23afa151a5756feccfa56fdbfda2b94af8a9778c4328b945749
                                                            • Instruction ID: ec05dd92787de3d7f89107708eb176242e090a2dc6f89fe42d564ddee5025baf
                                                            • Opcode Fuzzy Hash: 9b633e5f1467d23afa151a5756feccfa56fdbfda2b94af8a9778c4328b945749
                                                            • Instruction Fuzzy Hash: 2DD12BB2CE1765CBD718CF26E8481DA3BB1BB86324FD54A09D1616B2E1DBB410E6CF44
                                                            Function 077CC4A3 Relevance: .1, Instructions: 132COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1457864968.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_77c0000_datasheet.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 71f6444767cd6f0ebc966320cf5cf24e6f3643929afae243298feb8795b16c83
                                                            • Instruction ID: cb3fdf04bcd0402daac7c955a9af7f8bd60d129af7a96be71b43f965eceedf9d
                                                            • Opcode Fuzzy Hash: 71f6444767cd6f0ebc966320cf5cf24e6f3643929afae243298feb8795b16c83
                                                            • Instruction Fuzzy Hash: 2C513BB0E002198FDB15DFA9D5805AEFBF2FF89305F24816AD418AB356D7309942CF60

                                                            Execution Graph

                                                            Execution Coverage:11.9%
                                                            Dynamic/Decrypted Code Coverage:100%
                                                            Signature Coverage:0%
                                                            Total number of Nodes:24
                                                            Total number of Limit Nodes:6
                                                            execution_graph 21948 20b0848 21950 20b084e 21948->21950 21949 20b091b 21950->21949 21953 20b136f 21950->21953 21958 20b147a 21950->21958 21954 20b1373 21953->21954 21955 20b12a4 21953->21955 21954->21955 21956 20b147a GlobalMemoryStatusEx 21954->21956 21964 20b7ea8 21954->21964 21955->21950 21956->21954 21960 20b1386 21958->21960 21961 20b147f 21958->21961 21959 20b1470 21959->21950 21960->21959 21962 20b7ea8 GlobalMemoryStatusEx 21960->21962 21963 20b147a GlobalMemoryStatusEx 21960->21963 21961->21950 21962->21960 21963->21960 21965 20b7eb2 21964->21965 21966 20b7ecc 21965->21966 21969 5d5daa0 21965->21969 21973 5d5da90 21965->21973 21966->21954 21970 5d5dab5 21969->21970 21971 5d5dcca 21970->21971 21972 5d5dce1 GlobalMemoryStatusEx 21970->21972 21971->21966 21972->21970 21974 5d5daa0 21973->21974 21975 5d5dcca 21974->21975 21976 5d5dce1 GlobalMemoryStatusEx 21974->21976 21975->21966 21976->21974

                                                            Executed Functions

                                                            Function 020BA958 Relevance: 2.8, Instructions: 2818COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.1481076385.00000000020B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_20b0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 45eb70e66e4cffa4c7fb614affd4c9297b636ea363d9f9c27f9cbfaaa8edd004
                                                            • Instruction ID: 89067dcdf3d83b39c825a774ba0c57c4d7666602c4b02184097da5b73141d0e8
                                                            • Opcode Fuzzy Hash: 45eb70e66e4cffa4c7fb614affd4c9297b636ea363d9f9c27f9cbfaaa8edd004
                                                            • Instruction Fuzzy Hash: AA53D731D10B1A8ADB61EF68C8806D9F7B1EF99300F11D79AE45877121FB70AAD5CB81
                                                            Function 020B3E70 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 642 20b3e70-20b3ed6 644 20b3ed8-20b3ee3 642->644 645 20b3f20-20b3f22 642->645 644->645 646 20b3ee5-20b3ef1 644->646 647 20b3f24-20b3f7c 645->647 648 20b3ef3-20b3efd 646->648 649 20b3f14-20b3f1e 646->649 656 20b3f7e-20b3f89 647->656 657 20b3fc6-20b3fc8 647->657 650 20b3eff 648->650 651 20b3f01-20b3f10 648->651 649->647 650->651 651->651 653 20b3f12 651->653 653->649 656->657 659 20b3f8b-20b3f97 656->659 658 20b3fca-20b3fe2 657->658 666 20b402c-20b402e 658->666 667 20b3fe4-20b3fef 658->667 660 20b3fba-20b3fc4 659->660 661 20b3f99-20b3fa3 659->661 660->658 662 20b3fa7-20b3fb6 661->662 663 20b3fa5 661->663 662->662 665 20b3fb8 662->665 663->662 665->660 668 20b4030-20b407e 666->668 667->666 669 20b3ff1-20b3ffd 667->669 677 20b4084-20b4092 668->677 670 20b3fff-20b4009 669->670 671 20b4020-20b402a 669->671 673 20b400b 670->673 674 20b400d-20b401c 670->674 671->668 673->674 674->674 675 20b401e 674->675 675->671 678 20b409b-20b40fb 677->678 679 20b4094-20b409a 677->679 686 20b410b-20b410f 678->686 687 20b40fd-20b4101 678->687 679->678 689 20b411f-20b4123 686->689 690 20b4111-20b4115 686->690 687->686 688 20b4103 687->688 688->686 691 20b4133-20b4137 689->691 692 20b4125-20b4129 689->692 690->689 693 20b4117-20b411a call 20b0ab8 690->693 695 20b4139-20b413d 691->695 696 20b4147-20b414b 691->696 692->691 694 20b412b-20b412e call 20b0ab8 692->694 693->689 694->691 695->696 699 20b413f-20b4142 call 20b0ab8 695->699 700 20b415b-20b415f 696->700 701 20b414d-20b4151 696->701 699->696 704 20b416f 700->704 705 20b4161-20b4165 700->705 701->700 703 20b4153 701->703 703->700 707 20b4170 704->707 705->704 706 20b4167 705->706 706->704 707->707
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.1481076385.00000000020B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_20b0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: \Vin
                                                            • API String ID: 0-3600523701
                                                            • Opcode ID: a258ed1c3cb7b774c94e71eccf9f4d6f91e4f3e4346a2a137ed7eefd0ab1645d
                                                            • Instruction ID: cde2fe442fcfa6056cc4500d1922bc8011c8c964c22a69e7e52b5b79d9089a27
                                                            • Opcode Fuzzy Hash: a258ed1c3cb7b774c94e71eccf9f4d6f91e4f3e4346a2a137ed7eefd0ab1645d
                                                            • Instruction Fuzzy Hash: F1917D70E0030ACFDF66CFA8C9947DEBBF2AF88304F248529E404A7294DB749945DB91
                                                            Function 020B4A88 Relevance: .3, Instructions: 266COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.1481076385.00000000020B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_20b0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 80b255d2f73fd85fd337574744af2f9fc8f4d857dd855e2b64d8e416b96b604c
                                                            • Instruction ID: 5bfa8e641346fb50e60de3293df014d24cd4355a37a271e04ff3d29e2579a04a
                                                            • Opcode Fuzzy Hash: 80b255d2f73fd85fd337574744af2f9fc8f4d857dd855e2b64d8e416b96b604c
                                                            • Instruction Fuzzy Hash: 07B17D70E00309CFDB66CFA9C8A17EDBBF2AF88714F148529D414E7295EB349945DB81
                                                            Function 020B4800 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 517 20b4800-20b488c 520 20b488e-20b4899 517->520 521 20b48d6-20b48d8 517->521 520->521 522 20b489b-20b48a7 520->522 523 20b48da-20b48f2 521->523 524 20b48ca-20b48d4 522->524 525 20b48a9-20b48b3 522->525 530 20b493c-20b493e 523->530 531 20b48f4-20b48ff 523->531 524->523 526 20b48b7-20b48c6 525->526 527 20b48b5 525->527 526->526 529 20b48c8 526->529 527->526 529->524 532 20b4940-20b4999 530->532 531->530 533 20b4901-20b490d 531->533 542 20b499b-20b49a1 532->542 543 20b49a2-20b49c2 532->543 534 20b490f-20b4919 533->534 535 20b4930-20b493a 533->535 536 20b491b 534->536 537 20b491d-20b492c 534->537 535->532 536->537 537->537 539 20b492e 537->539 539->535 542->543 547 20b49cc-20b49ff 543->547 550 20b4a0f-20b4a13 547->550 551 20b4a01-20b4a05 547->551 553 20b4a23-20b4a27 550->553 554 20b4a15-20b4a19 550->554 551->550 552 20b4a07-20b4a0a call 20b0ab8 551->552 552->550 555 20b4a29-20b4a2d 553->555 556 20b4a37-20b4a3b 553->556 554->553 558 20b4a1b-20b4a1e call 20b0ab8 554->558 555->556 559 20b4a2f 555->559 560 20b4a4b 556->560 561 20b4a3d-20b4a41 556->561 558->553 559->556 564 20b4a4c 560->564 561->560 563 20b4a43 561->563 563->560 564->564
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.1481076385.00000000020B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_20b0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: \Vin$\Vin
                                                            • API String ID: 0-241749244
                                                            • Opcode ID: f8a2ff79497f2e3d4579ac6428c43224ebfd18f33a692e11888049821bb37ed1
                                                            • Instruction ID: c4cbc557a4da91224bcd24a2a1d568887ce0d21a48fb20f3a24ed765b3fd5e14
                                                            • Opcode Fuzzy Hash: f8a2ff79497f2e3d4579ac6428c43224ebfd18f33a692e11888049821bb37ed1
                                                            • Instruction Fuzzy Hash: 8E717B70E003498FDB22CFA9C8907DEBBF2BF88704F148129E414A7295DB749942EF95
                                                            Function 020B47F4 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 565 20b47f4-20b488c 568 20b488e-20b4899 565->568 569 20b48d6-20b48d8 565->569 568->569 570 20b489b-20b48a7 568->570 571 20b48da-20b48f2 569->571 572 20b48ca-20b48d4 570->572 573 20b48a9-20b48b3 570->573 578 20b493c-20b493e 571->578 579 20b48f4-20b48ff 571->579 572->571 574 20b48b7-20b48c6 573->574 575 20b48b5 573->575 574->574 577 20b48c8 574->577 575->574 577->572 580 20b4940-20b4952 578->580 579->578 581 20b4901-20b490d 579->581 588 20b4959-20b4985 580->588 582 20b490f-20b4919 581->582 583 20b4930-20b493a 581->583 584 20b491b 582->584 585 20b491d-20b492c 582->585 583->580 584->585 585->585 587 20b492e 585->587 587->583 589 20b498b-20b4999 588->589 590 20b499b-20b49a1 589->590 591 20b49a2-20b49b0 589->591 590->591 594 20b49b8-20b49c2 591->594 595 20b49cc-20b49ff 594->595 598 20b4a0f-20b4a13 595->598 599 20b4a01-20b4a05 595->599 601 20b4a23-20b4a27 598->601 602 20b4a15-20b4a19 598->602 599->598 600 20b4a07-20b4a0a call 20b0ab8 599->600 600->598 603 20b4a29-20b4a2d 601->603 604 20b4a37-20b4a3b 601->604 602->601 606 20b4a1b-20b4a1e call 20b0ab8 602->606 603->604 607 20b4a2f 603->607 608 20b4a4b 604->608 609 20b4a3d-20b4a41 604->609 606->601 607->604 612 20b4a4c 608->612 609->608 611 20b4a43 609->611 611->608 612->612
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.1481076385.00000000020B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_20b0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: \Vin$\Vin
                                                            • API String ID: 0-241749244
                                                            • Opcode ID: ae929c2b35da9797b9d4d6ac20ae7121ae8eec7f5ed6695c2d1ba2a250180cfe
                                                            • Instruction ID: a4b8c9e804ce42c3c0de1e4ef897f60064ece508579ec895de40efd207efab94
                                                            • Opcode Fuzzy Hash: ae929c2b35da9797b9d4d6ac20ae7121ae8eec7f5ed6695c2d1ba2a250180cfe
                                                            • Instruction Fuzzy Hash: 7D716970E003499FDB22CFA9C8907DEBBF2BF89704F148129E414A7295DB749942EF95
                                                            Function 05D5EA08 Relevance: 1.6, APIs: 1, Instructions: 132COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 613 5d5ea08-5d5ea23 614 5d5ea25-5d5ea4c call 5d5d280 613->614 615 5d5ea4d-5d5ea6c call 5d5e180 613->615 621 5d5ea72-5d5ead1 615->621 622 5d5ea6e-5d5ea71 615->622 627 5d5ead7-5d5eb64 GlobalMemoryStatusEx 621->627 628 5d5ead3-5d5ead6 621->628 632 5d5eb66-5d5eb6c 627->632 633 5d5eb6d-5d5eb95 627->633 632->633
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.1486500768.0000000005D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5d50000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cd6de614c2b8276d14fcf4b3dd37369e5877c7c46cebd0fb76e7ae3abe2af536
                                                            • Instruction ID: 6bf573423ff77fc3fa516acf0b0ac23c656d803b61feb40389dd252911676b83
                                                            • Opcode Fuzzy Hash: cd6de614c2b8276d14fcf4b3dd37369e5877c7c46cebd0fb76e7ae3abe2af536
                                                            • Instruction Fuzzy Hash: 2D412572E047499FDB14DF79D80429EBBF5FF89220F04856BD904A7251EB349845CB90
                                                            Function 05D5EAF0 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 636 5d5eaf0-5d5eb2e 637 5d5eb36-5d5eb64 GlobalMemoryStatusEx 636->637 638 5d5eb66-5d5eb6c 637->638 639 5d5eb6d-5d5eb95 637->639 638->639
                                                            APIs
                                                            • GlobalMemoryStatusEx.KERNELBASE ref: 05D5EB57
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.1486500768.0000000005D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5d50000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID: GlobalMemoryStatus
                                                            • String ID:
                                                            • API String ID: 1890195054-0
                                                            • Opcode ID: 42cabd2c88cb37bf54c16f041c5367e978c864890a0d56149f541550e25cc57f
                                                            • Instruction ID: c270f8ffe19b0977613ed51f44500564bd781277da2e2459b2e0a56d54aca172
                                                            • Opcode Fuzzy Hash: 42cabd2c88cb37bf54c16f041c5367e978c864890a0d56149f541550e25cc57f
                                                            • Instruction Fuzzy Hash: 0B1123B1C0065A9FCB10DF9AC444BDEFBF8FF48620F10816AD818A7240D378A944CFA5
                                                            Function 020B3E66 Relevance: 1.5, Strings: 1, Instructions: 234COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 708 20b3e66-20b3ed6 710 20b3ed8-20b3ee3 708->710 711 20b3f20-20b3f22 708->711 710->711 712 20b3ee5-20b3ef1 710->712 713 20b3f24-20b3f7c 711->713 714 20b3ef3-20b3efd 712->714 715 20b3f14-20b3f1e 712->715 722 20b3f7e-20b3f89 713->722 723 20b3fc6-20b3fc8 713->723 716 20b3eff 714->716 717 20b3f01-20b3f10 714->717 715->713 716->717 717->717 719 20b3f12 717->719 719->715 722->723 725 20b3f8b-20b3f97 722->725 724 20b3fca-20b3fe2 723->724 732 20b402c-20b402e 724->732 733 20b3fe4-20b3fef 724->733 726 20b3fba-20b3fc4 725->726 727 20b3f99-20b3fa3 725->727 726->724 728 20b3fa7-20b3fb6 727->728 729 20b3fa5 727->729 728->728 731 20b3fb8 728->731 729->728 731->726 734 20b4030-20b4042 732->734 733->732 735 20b3ff1-20b3ffd 733->735 742 20b4049-20b407e 734->742 736 20b3fff-20b4009 735->736 737 20b4020-20b402a 735->737 739 20b400b 736->739 740 20b400d-20b401c 736->740 737->734 739->740 740->740 741 20b401e 740->741 741->737 743 20b4084-20b4092 742->743 744 20b409b-20b40fb 743->744 745 20b4094-20b409a 743->745 752 20b410b-20b410f 744->752 753 20b40fd-20b4101 744->753 745->744 755 20b411f-20b4123 752->755 756 20b4111-20b4115 752->756 753->752 754 20b4103 753->754 754->752 757 20b4133-20b4137 755->757 758 20b4125-20b4129 755->758 756->755 759 20b4117-20b411a call 20b0ab8 756->759 761 20b4139-20b413d 757->761 762 20b4147-20b414b 757->762 758->757 760 20b412b-20b412e call 20b0ab8 758->760 759->755 760->757 761->762 765 20b413f-20b4142 call 20b0ab8 761->765 766 20b415b-20b415f 762->766 767 20b414d-20b4151 762->767 765->762 770 20b416f 766->770 771 20b4161-20b4165 766->771 767->766 769 20b4153 767->769 769->766 773 20b4170 770->773 771->770 772 20b4167 771->772 772->770 773->773
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.1481076385.00000000020B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_20b0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: \Vin
                                                            • API String ID: 0-3600523701
                                                            • Opcode ID: 9f42b989bbec69750d42525e378940d3a645f8f46d0e72bf14cb389f275fd220
                                                            • Instruction ID: accf9698d73ee5a576c7045d05e77e7cc0dcff49ad8577456a918285aad116da
                                                            • Opcode Fuzzy Hash: 9f42b989bbec69750d42525e378940d3a645f8f46d0e72bf14cb389f275fd220
                                                            • Instruction Fuzzy Hash: F6A16C70E0030ADFDB62CFA8C9957DEBBF2AF88704F248529E404A7294DB749945DF91
                                                            Function 020B86F8 Relevance: .6, Instructions: 567COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 2554 20b86f8-20b8720 2558 20b875b-20b877c 2554->2558 2559 20b8722-20b872f 2554->2559 2563 20b8781-20b8784 2558->2563 2562 20b8751-20b8754 2559->2562 2562->2563 2564 20b8756 2562->2564 2566 20b87b1-20b87b4 2563->2566 2567 20b8786-20b87ac 2563->2567 2564->2558 2568 20b87e1-20b87e4 2566->2568 2569 20b87b6-20b87dc 2566->2569 2567->2566 2571 20b87ff-20b8802 2568->2571 2572 20b87e6-20b87f2 2568->2572 2569->2568 2574 20b882f-20b8832 2571->2574 2575 20b8804-20b882a 2571->2575 2589 20b87fa 2572->2589 2577 20b885f-20b8862 2574->2577 2578 20b8834-20b885a 2574->2578 2575->2574 2581 20b886f-20b8872 2577->2581 2582 20b8864 2577->2582 2578->2577 2586 20b889f-20b88a2 2581->2586 2587 20b8874-20b889a 2581->2587 2590 20b886a 2582->2590 2593 20b88cf-20b88d2 2586->2593 2594 20b88a4-20b88ca 2586->2594 2587->2586 2589->2571 2590->2581 2595 20b88ff-20b8902 2593->2595 2596 20b88d4-20b88fa 2593->2596 2594->2593 2600 20b892f-20b8932 2595->2600 2601 20b8904-20b892a 2595->2601 2596->2595 2603 20b895f-20b8962 2600->2603 2604 20b8934-20b895a 2600->2604 2601->2600 2609 20b898f-20b8992 2603->2609 2610 20b8964-20b898a 2603->2610 2604->2603 2612 20b89a3-20b89a6 2609->2612 2613 20b8994-20b8996 2609->2613 2610->2609 2619 20b89a8-20b89ce 2612->2619 2620 20b89d3-20b89d6 2612->2620 2774 20b8998 call 20ba033 2613->2774 2775 20b8998 call 20b9f81 2613->2775 2776 20b8998 call 20b9f90 2613->2776 2619->2620 2622 20b89d8-20b89fe 2620->2622 2623 20b8a03-20b8a06 2620->2623 2622->2623 2629 20b8a08-20b8a2e 2623->2629 2630 20b8a33-20b8a36 2623->2630 2624 20b899e 2624->2612 2629->2630 2632 20b8a38-20b8a5e 2630->2632 2633 20b8a63-20b8a66 2630->2633 2632->2633 2637 20b8a68-20b8a8e 2633->2637 2638 20b8a93-20b8a96 2633->2638 2637->2638 2641 20b8a98-20b8abe 2638->2641 2642 20b8ac3-20b8ac6 2638->2642 2641->2642 2645 20b8ac8-20b8aee 2642->2645 2646 20b8af3-20b8af6 2642->2646 2645->2646 2650 20b8af8-20b8b1e 2646->2650 2651 20b8b23-20b8b26 2646->2651 2650->2651 2655 20b8b28-20b8b4e 2651->2655 2656 20b8b53-20b8b56 2651->2656 2655->2656 2660 20b8b58-20b8b6e 2656->2660 2661 20b8b73-20b8b76 2656->2661 2660->2661 2665 20b8b78-20b8b9e 2661->2665 2666 20b8ba3-20b8ba6 2661->2666 2665->2666 2673 20b8ba8-20b8bce 2666->2673 2674 20b8bd3-20b8bd6 2666->2674 2673->2674 2675 20b8bd8-20b8bfe 2674->2675 2676 20b8c03-20b8c06 2674->2676 2675->2676 2683 20b8c08-20b8c2e 2676->2683 2684 20b8c33-20b8c36 2676->2684 2683->2684 2685 20b8c38-20b8c5e 2684->2685 2686 20b8c63-20b8c66 2684->2686 2685->2686 2692 20b8c68-20b8c8e 2686->2692 2693 20b8c93-20b8c96 2686->2693 2692->2693 2694 20b8c98-20b8cbe 2693->2694 2695 20b8cc3-20b8cc6 2693->2695 2694->2695 2702 20b8cc8-20b8cee 2695->2702 2703 20b8cf3-20b8cf6 2695->2703 2702->2703 2704 20b8cf8-20b8d1e 2703->2704 2705 20b8d23-20b8d26 2703->2705 2704->2705 2712 20b8d28-20b8d4e 2705->2712 2713 20b8d53-20b8d56 2705->2713 2712->2713 2714 20b8d58-20b8d7e 2713->2714 2715 20b8d83-20b8d86 2713->2715 2714->2715 2722 20b8d88-20b8dae 2715->2722 2723 20b8db3-20b8db6 2715->2723 2722->2723 2724 20b8db8-20b8dde 2723->2724 2725 20b8de3-20b8de6 2723->2725 2724->2725 2732 20b8de8-20b8e0e 2725->2732 2733 20b8e13-20b8e16 2725->2733 2732->2733 2734 20b8e18-20b8e3e 2733->2734 2735 20b8e43-20b8e46 2733->2735 2734->2735 2742 20b8e48-20b8e6e 2735->2742 2743 20b8e73-20b8e76 2735->2743 2742->2743 2744 20b8e78-20b8e9e 2743->2744 2745 20b8ea3-20b8ea6 2743->2745 2744->2745 2752 20b8ea8-20b8ece 2745->2752 2753 20b8ed3-20b8ed6 2745->2753 2752->2753 2754 20b8ed8-20b8efe 2753->2754 2755 20b8f03-20b8f05 2753->2755 2754->2755 2762 20b8f0c-20b8f0f 2755->2762 2763 20b8f07 2755->2763 2762->2562 2764 20b8f15-20b8f1b 2762->2764 2763->2762 2774->2624 2775->2624 2776->2624
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.1481076385.00000000020B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_20b0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 49d9fed97c18f5a874fcd18ea7dbcddb6ef7124560991c26c1f315d1bb8f0ac1
                                                            • Instruction ID: bb889d023b3f1eef176ae3d7a4a15528e979aeccefe0771ac62d775a4073ca33
                                                            • Opcode Fuzzy Hash: 49d9fed97c18f5a874fcd18ea7dbcddb6ef7124560991c26c1f315d1bb8f0ac1
                                                            • Instruction Fuzzy Hash: D7227E31B403038FDB26AB38F99826933A7FFC5655B108929D405CB7A4CF71DC869B82
                                                            Function 020B8738 Relevance: .6, Instructions: 558COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 2777 20b8738-20b874f 2778 20b8751-20b8754 2777->2778 2779 20b8781-20b8784 2778->2779 2780 20b8756-20b877c 2778->2780 2782 20b87b1-20b87b4 2779->2782 2783 20b8786-20b87ac 2779->2783 2780->2779 2784 20b87e1-20b87e4 2782->2784 2785 20b87b6-20b87dc 2782->2785 2783->2782 2787 20b87ff-20b8802 2784->2787 2788 20b87e6-20b87f2 2784->2788 2785->2784 2790 20b882f-20b8832 2787->2790 2791 20b8804-20b882a 2787->2791 2807 20b87fa 2788->2807 2794 20b885f-20b8862 2790->2794 2795 20b8834-20b885a 2790->2795 2791->2790 2798 20b886f-20b8872 2794->2798 2799 20b8864 2794->2799 2795->2794 2803 20b889f-20b88a2 2798->2803 2804 20b8874-20b889a 2798->2804 2808 20b886a 2799->2808 2811 20b88cf-20b88d2 2803->2811 2812 20b88a4-20b88ca 2803->2812 2804->2803 2807->2787 2808->2798 2813 20b88ff-20b8902 2811->2813 2814 20b88d4-20b88fa 2811->2814 2812->2811 2818 20b892f-20b8932 2813->2818 2819 20b8904-20b892a 2813->2819 2814->2813 2821 20b895f-20b8962 2818->2821 2822 20b8934-20b895a 2818->2822 2819->2818 2827 20b898f-20b8992 2821->2827 2828 20b8964-20b898a 2821->2828 2822->2821 2830 20b89a3-20b89a6 2827->2830 2831 20b8994-20b8996 2827->2831 2828->2827 2837 20b89a8-20b89ce 2830->2837 2838 20b89d3-20b89d6 2830->2838 2992 20b8998 call 20ba033 2831->2992 2993 20b8998 call 20b9f81 2831->2993 2994 20b8998 call 20b9f90 2831->2994 2837->2838 2840 20b89d8-20b89fe 2838->2840 2841 20b8a03-20b8a06 2838->2841 2840->2841 2847 20b8a08-20b8a2e 2841->2847 2848 20b8a33-20b8a36 2841->2848 2842 20b899e 2842->2830 2847->2848 2850 20b8a38-20b8a5e 2848->2850 2851 20b8a63-20b8a66 2848->2851 2850->2851 2855 20b8a68-20b8a8e 2851->2855 2856 20b8a93-20b8a96 2851->2856 2855->2856 2859 20b8a98-20b8abe 2856->2859 2860 20b8ac3-20b8ac6 2856->2860 2859->2860 2863 20b8ac8-20b8aee 2860->2863 2864 20b8af3-20b8af6 2860->2864 2863->2864 2868 20b8af8-20b8b1e 2864->2868 2869 20b8b23-20b8b26 2864->2869 2868->2869 2873 20b8b28-20b8b4e 2869->2873 2874 20b8b53-20b8b56 2869->2874 2873->2874 2878 20b8b58-20b8b6e 2874->2878 2879 20b8b73-20b8b76 2874->2879 2878->2879 2883 20b8b78-20b8b9e 2879->2883 2884 20b8ba3-20b8ba6 2879->2884 2883->2884 2891 20b8ba8-20b8bce 2884->2891 2892 20b8bd3-20b8bd6 2884->2892 2891->2892 2893 20b8bd8-20b8bfe 2892->2893 2894 20b8c03-20b8c06 2892->2894 2893->2894 2901 20b8c08-20b8c2e 2894->2901 2902 20b8c33-20b8c36 2894->2902 2901->2902 2903 20b8c38-20b8c5e 2902->2903 2904 20b8c63-20b8c66 2902->2904 2903->2904 2910 20b8c68-20b8c8e 2904->2910 2911 20b8c93-20b8c96 2904->2911 2910->2911 2912 20b8c98-20b8cbe 2911->2912 2913 20b8cc3-20b8cc6 2911->2913 2912->2913 2920 20b8cc8-20b8cee 2913->2920 2921 20b8cf3-20b8cf6 2913->2921 2920->2921 2922 20b8cf8-20b8d1e 2921->2922 2923 20b8d23-20b8d26 2921->2923 2922->2923 2930 20b8d28-20b8d4e 2923->2930 2931 20b8d53-20b8d56 2923->2931 2930->2931 2932 20b8d58-20b8d7e 2931->2932 2933 20b8d83-20b8d86 2931->2933 2932->2933 2940 20b8d88-20b8dae 2933->2940 2941 20b8db3-20b8db6 2933->2941 2940->2941 2942 20b8db8-20b8dde 2941->2942 2943 20b8de3-20b8de6 2941->2943 2942->2943 2950 20b8de8-20b8e0e 2943->2950 2951 20b8e13-20b8e16 2943->2951 2950->2951 2952 20b8e18-20b8e3e 2951->2952 2953 20b8e43-20b8e46 2951->2953 2952->2953 2960 20b8e48-20b8e6e 2953->2960 2961 20b8e73-20b8e76 2953->2961 2960->2961 2962 20b8e78-20b8e9e 2961->2962 2963 20b8ea3-20b8ea6 2961->2963 2962->2963 2970 20b8ea8-20b8ece 2963->2970 2971 20b8ed3-20b8ed6 2963->2971 2970->2971 2972 20b8ed8-20b8efe 2971->2972 2973 20b8f03-20b8f05 2971->2973 2972->2973 2980 20b8f0c-20b8f0f 2973->2980 2981 20b8f07 2973->2981 2980->2778 2982 20b8f15-20b8f1b 2980->2982 2981->2980 2992->2842 2993->2842 2994->2842
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.1481076385.00000000020B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_20b0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 29acab67509ba46cf8916708db862ad6cb73dddb049d436ba816829cb86a9403
                                                            • Instruction ID: fe13cfed1a69f6b17f3bd34201cefa09cbfcfa34c65e812b151cc355795284bb
                                                            • Opcode Fuzzy Hash: 29acab67509ba46cf8916708db862ad6cb73dddb049d436ba816829cb86a9403
                                                            • Instruction Fuzzy Hash: 4C125D31B403038BDB26AB28F99866933E7FFC5655B108929D405CB764CF71EC869B82
                                                            Function 020BA20F Relevance: .4, Instructions: 388COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.1481076385.00000000020B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_20b0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 60c40cd3221a8dc60dd01c272418745bf551169a6fd717328eb191b51c728cec
                                                            • Instruction ID: f6dd25aef56bde5f10c91f089412afb51eabde43f11304b902f6fec883f58ebb
                                                            • Opcode Fuzzy Hash: 60c40cd3221a8dc60dd01c272418745bf551169a6fd717328eb191b51c728cec
                                                            • Instruction Fuzzy Hash: C4E13B34B002058FDB66DB68D584AADBBF2FF88714F208429E80AD7354DB35ED42DB91
                                                            Function 020B4A7F Relevance: .3, Instructions: 260COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.1481076385.00000000020B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_20b0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d73564683035aa7ea92ef32cf2969fff4bd25c25f49fb91464ef1fc608a4e144
                                                            • Instruction ID: 6ecc57a1fc8102e6da34ba2f2aa3ac2b9a7b15d618dbd6eb19098816ee6a6eb8
                                                            • Opcode Fuzzy Hash: d73564683035aa7ea92ef32cf2969fff4bd25c25f49fb91464ef1fc608a4e144
                                                            • Instruction Fuzzy Hash: 56A16D70E00309CFDB62CFA8C8917EDBBF2AF88714F148129D414E7295EB749945DB91
                                                            Function 020B7C31 Relevance: .2, Instructions: 221COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.1481076385.00000000020B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_20b0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: aab67849ee5a5ded4cba4e99eae87eeba6da63014c5a64aeb6fc79595e01e9e0
                                                            • Instruction ID: 1447d443e11d1119ccf526dd87565f1af7de322fbffe339248f9d2e6aa865359
                                                            • Opcode Fuzzy Hash: aab67849ee5a5ded4cba4e99eae87eeba6da63014c5a64aeb6fc79595e01e9e0
                                                            • Instruction Fuzzy Hash: B2314A36E0031A9FDB67CB64C4547EEF7B2EF89310F218569E801EB260DB719942CB90
                                                            Function 020B7C84 Relevance: .2, Instructions: 221COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.1481076385.00000000020B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_20b0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e5b43398a265014345a6671eef91b76c6b4227ca8e42de38c01b522950668f7c
                                                            • Instruction ID: b2625d5a3b95ad1fe5d7fc5489947694d2607882f8484eb86422260de2c6af6a
                                                            • Opcode Fuzzy Hash: e5b43398a265014345a6671eef91b76c6b4227ca8e42de38c01b522950668f7c
                                                            • Instruction Fuzzy Hash: 06312A35E0031A9FDB66CB64D4547EEF7B2EF89300F218569E801EB2A0DB719946DB50
                                                            Function 020B6ED3 Relevance: .2, Instructions: 175COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.1481076385.00000000020B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_20b0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5c3bbb46f3760074e1c3b6811a97b87468b62c15b457d4ac3934e6951e230113
                                                            • Instruction ID: 99b1f8ff01ea39358e645511bed8773b21e59b931de38d40d64506067a18af33
                                                            • Opcode Fuzzy Hash: 5c3bbb46f3760074e1c3b6811a97b87468b62c15b457d4ac3934e6951e230113
                                                            • Instruction Fuzzy Hash: CF616D35710215CFDB66EB68C458AAD7BF6EF89700F2040A9E406EB3A1DB369C41DB91
                                                            Function 020BDD82 Relevance: .2, Instructions: 171COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.1481076385.00000000020B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_20b0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 95ffbc8333155ba854ebf2917dfa0d4dbc486c45fac1d3d0e2ef43eccda88f37
                                                            • Instruction ID: c1ec04da6611fcf54c8f5dfe5777741e97bfeb7f30209b7cf45a54195af778d4
                                                            • Opcode Fuzzy Hash: 95ffbc8333155ba854ebf2917dfa0d4dbc486c45fac1d3d0e2ef43eccda88f37
                                                            • Instruction Fuzzy Hash: B1517D75700216AFDB26DF28C884BBAF7A6FF84310F248269D455DB295CB31E882D791
                                                            Function 020BA6C8 Relevance: .1, Instructions: 137COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.1481076385.00000000020B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_20b0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 318a43796a59b4a167c818f9297fd4b6e59fa8323ba947b54d38f3dbdefad994
                                                            • Instruction ID: 2a92b8f5e255a058bc14ac12e29d85caf9faa410a15f7fdcce304f18afba8881
                                                            • Opcode Fuzzy Hash: 318a43796a59b4a167c818f9297fd4b6e59fa8323ba947b54d38f3dbdefad994
                                                            • Instruction Fuzzy Hash: 9A515A75A00205CFDB55DF69E884B99FBB2FF88310F14C26AE9089B395E771D845CB90
                                                            Function 020B6CD4 Relevance: .1, Instructions: 134COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.1481076385.00000000020B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_20b0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0357cb51101b4e00fe67b30f620f2cab77880aa5aad51dfe10085f0cbe255fd5
                                                            • Instruction ID: de075f99f155ff777cd9c5d4d5403d28eaaf620693415d3065a90e09a8701a56
                                                            • Opcode Fuzzy Hash: 0357cb51101b4e00fe67b30f620f2cab77880aa5aad51dfe10085f0cbe255fd5
                                                            • Instruction Fuzzy Hash: F1511174D103188FDB2ACFA9C884BDDBBF5BF48314F148529D815AB290DB75A844CF94
                                                            Function 020B6CE0 Relevance: .1, Instructions: 132COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.1481076385.00000000020B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_20b0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b7e276be0f6d7e8d2d7740f7d0540caba73abd6c54ef1000019b882d48bc3bc5
                                                            • Instruction ID: 3de02d8da81f308407a6f14566c6a0363c59b313b72e86fa13b0a4e08946aae6
                                                            • Opcode Fuzzy Hash: b7e276be0f6d7e8d2d7740f7d0540caba73abd6c54ef1000019b882d48bc3bc5
                                                            • Instruction Fuzzy Hash: 18510074D103188FDB29CFAAC884BDEBBF5BF48314F14852AE815AB290D775A844CF94
                                                            Function 020B136F Relevance: .1, Instructions: 128COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.1481076385.00000000020B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_20b0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bf18f62aa5526321e49f38c05daf260daad7bc010989288cf8107e2ea2b5e0c5
                                                            • Instruction ID: 89c5835ad179715ae8b6ec8928953224f0214bdec6cbf463b69e616399d59f71
                                                            • Opcode Fuzzy Hash: bf18f62aa5526321e49f38c05daf260daad7bc010989288cf8107e2ea2b5e0c5
                                                            • Instruction Fuzzy Hash: BB412570600345DFDB33EB28F8987997BA2FF45319F009964E50ACB289D7349A45CB82
                                                            Function 020B112B Relevance: .1, Instructions: 116COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.1481076385.00000000020B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_20b0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 98609fcfa834b5630bf5a8f316712c748d66546fbb1c6e087cd9227eda619a36
                                                            • Instruction ID: ee21857812ccafd1933b2bfba3dad9639b8486ed91b204dce3d9cc258a2c5f09
                                                            • Opcode Fuzzy Hash: 98609fcfa834b5630bf5a8f316712c748d66546fbb1c6e087cd9227eda619a36
                                                            • Instruction Fuzzy Hash: E6510E71212385DFC716FF39F888A583F62B7A5305314E9A9D5054B2AEDB306F05CB85
                                                            Function 020B1138 Relevance: .1, Instructions: 109COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.1481076385.00000000020B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_20b0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f86a469d6a75d21bf2036ba3a00d517fb79a4a83e171e80c4596ec51c7c2eaf1
                                                            • Instruction ID: 5c54cc46239092321d9ea0e4af3c870ca4e063ba557824f2230411d5193a75ca
                                                            • Opcode Fuzzy Hash: f86a469d6a75d21bf2036ba3a00d517fb79a4a83e171e80c4596ec51c7c2eaf1
                                                            • Instruction Fuzzy Hash: BE510A71212386DFC71AFF39F888A583B66B7A5305314E969D1054B2AEDB306F05CB86
                                                            Function 020B7D90 Relevance: .1, Instructions: 99COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.1481076385.00000000020B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_20b0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d06f0472233e44d87b9f1f96a35eaaa36d79cb2164cf4062f39a1b31e5ce8a9b
                                                            • Instruction ID: 95f0ac9b1f10f5baa51b070fb3c62a9ba3903a72755b5bd67ec9a8b7ea51228a
                                                            • Opcode Fuzzy Hash: d06f0472233e44d87b9f1f96a35eaaa36d79cb2164cf4062f39a1b31e5ce8a9b
                                                            • Instruction Fuzzy Hash: BA314A36E0031ADBDB66CB64D4447EEF7B2FF89314F108929E816EB260D770A942DB50
                                                            Function 020B147A Relevance: .1, Instructions: 97COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.1481076385.00000000020B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_20b0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 25481d81e7965f2aca5d278e5e4b61935160a0a020c08a8d67381d462347ab48
                                                            • Instruction ID: 78a004a5ad97b7c0f62ca5ac650486d7c65f432b03c95038bcfef89f3a2ae3e3
                                                            • Opcode Fuzzy Hash: 25481d81e7965f2aca5d278e5e4b61935160a0a020c08a8d67381d462347ab48
                                                            • Instruction Fuzzy Hash: 78318D71A003558FDB73ABB894643EEBBE2EF45365F21047AD80AD7241E739C842DB91
                                                            Function 020B26CE Relevance: .1, Instructions: 92COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.1481076385.00000000020B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_20b0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c91d45b48afce03600c8353c87a241e543fb6af8708680885e866f23b68f21bf
                                                            • Instruction ID: 6dde282ec9d418fbed8211a1be9f19d364169fd43a0c6959fcef00d113260f01
                                                            • Opcode Fuzzy Hash: c91d45b48afce03600c8353c87a241e543fb6af8708680885e866f23b68f21bf
                                                            • Instruction Fuzzy Hash: 6741F0B09003499FDB21DFA9C984ADEBBF5FF48314F148429E809AB250DB75A946CB90
                                                            Function 020B17B2 Relevance: .1, Instructions: 92COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.1481076385.00000000020B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_20b0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c565c8a4ea6f8659a9e31e54cbe995ed7e35dede6083c9be7740882a114ece9f
                                                            • Instruction ID: e48c14fc9459b08f4e8c77c31fd7bd224de9430c986ae66c2a4ac28bad7667c5
                                                            • Opcode Fuzzy Hash: c565c8a4ea6f8659a9e31e54cbe995ed7e35dede6083c9be7740882a114ece9f
                                                            • Instruction Fuzzy Hash: 8431D175A003119FCF62AF74A858BAEBBF6EF88250F104465E90AC7654EB358911CB81
                                                            Function 020B26D8 Relevance: .1, Instructions: 90COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.1481076385.00000000020B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_20b0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1e0fd0321067efa760457b94a1a1c40f2fde76441f3eb0e23af43976a13ac1d5
                                                            • Instruction ID: 1e46ba9cae43d171b6458c615c155131763aa03bcfcb780eb917beb14c5eb584
                                                            • Opcode Fuzzy Hash: 1e0fd0321067efa760457b94a1a1c40f2fde76441f3eb0e23af43976a13ac1d5
                                                            • Instruction Fuzzy Hash: 3E41EFB0D0034D9FDB21DFA9C984ADEBBF5FF48314F108429E819AB250DB75A946CB94
                                                            Function 020B1690 Relevance: .1, Instructions: 83COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.1481076385.00000000020B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_20b0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 12d387aea05be56af4ceb0023d038b3e42f5e7e1d01f844f1dda76c046c5cce4
                                                            • Instruction ID: bfd6ed2491013c9bd573dea79bb32c0e7bc742d0d70e0dac747f087877a57e1a
                                                            • Opcode Fuzzy Hash: 12d387aea05be56af4ceb0023d038b3e42f5e7e1d01f844f1dda76c046c5cce4
                                                            • Instruction Fuzzy Hash: E221E4746003008FDB73EB38F498BAA77A1EF88251F106925D50AC7659DB34C9858B91
                                                            Function 020BA080 Relevance: .1, Instructions: 81COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.1481076385.00000000020B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_20b0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f2d436e344c3cb567506661b928c5d1ad39e8d59a489666a747bba07adaf695c
                                                            • Instruction ID: dd9589253ade75907fa0b6ce36a41c4aa485a54539f0b80c3676b607c1f353d8
                                                            • Opcode Fuzzy Hash: f2d436e344c3cb567506661b928c5d1ad39e8d59a489666a747bba07adaf695c
                                                            • Instruction Fuzzy Hash: 2D314B71A0030A9BDB56CFA4D9847DEB7B2AF89304F14C51AE805EB344DB719986DB90
                                                            Function 020BA090 Relevance: .1, Instructions: 78COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.1481076385.00000000020B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_20b0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 76adea3fb42593524c8778f08b4fd9e7ba7b98bda9c87fbda5cb56043478fa15
                                                            • Instruction ID: cea4b8a0c4816aae2fd96fc7024ea021e33b12053ceb9b8268bd52b3fa6be181
                                                            • Opcode Fuzzy Hash: 76adea3fb42593524c8778f08b4fd9e7ba7b98bda9c87fbda5cb56043478fa15
                                                            • Instruction Fuzzy Hash: A2214B31E1030A9BDB56CFA4D9946DEF7B2BF89304F10C61AE805EB344DB719986DB90
                                                            Function 020BA857 Relevance: .1, Instructions: 76COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.1481076385.00000000020B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_20b0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bd30025127bb7eee09d7f6f2d5af25af1b6b9ebad26d7874de869ffaec0b553e
                                                            • Instruction ID: 46aaa3d012905a0be78f502fb92f27fd29790b8d5fbcadeb36b740a5ab468685
                                                            • Opcode Fuzzy Hash: bd30025127bb7eee09d7f6f2d5af25af1b6b9ebad26d7874de869ffaec0b553e
                                                            • Instruction Fuzzy Hash: E1219071B002059FEB26DB68C954BED77F6EF8CB14F218129E505EB3A0DB718D019B90
                                                            Function 020B9F81 Relevance: .1, Instructions: 74COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.1481076385.00000000020B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_20b0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2fb7dd7b0a1cabba3f115b3b01e22fd37746616df617345a27b80d3f3a27db13
                                                            • Instruction ID: c030798f3786164140bb8db85c6762dcd72c6fa25d2f61034e341d7aff5314a2
                                                            • Opcode Fuzzy Hash: 2fb7dd7b0a1cabba3f115b3b01e22fd37746616df617345a27b80d3f3a27db13
                                                            • Instruction Fuzzy Hash: FB214F31E1071A9BDB2ACFA4D4506DEB7B2AF89310F10852AE915EB350DB71A845CB50
                                                            Function 020B4F78 Relevance: .1, Instructions: 73COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.1481076385.00000000020B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_20b0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 65b5d10dc11a24409f84323818102d529a95e601abf18e55d90c8372ee485aec
                                                            • Instruction ID: 4383a6f90db4797bb87d40424e5bd017bc8a931a5c2c3e51a112cdd1a7d06099
                                                            • Opcode Fuzzy Hash: 65b5d10dc11a24409f84323818102d529a95e601abf18e55d90c8372ee485aec
                                                            • Instruction Fuzzy Hash: 45212630B10209CFCB65DF78D598AAD7BF2EF88300B1044A9E50AEB3A5DB759D01DB90
                                                            Function 020B186B Relevance: .1, Instructions: 71COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.1481076385.00000000020B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_20b0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 487a8a8de8716abf359089111c7b03cbe1b7cee1dd497fa7a5319d87cc5fde2c
                                                            • Instruction ID: c47c5e340ac9b3783e322f189ce046fc13cc5e2ec4ca20f4bf0aa43b2a1aab87
                                                            • Opcode Fuzzy Hash: 487a8a8de8716abf359089111c7b03cbe1b7cee1dd497fa7a5319d87cc5fde2c
                                                            • Instruction Fuzzy Hash: 9C214C30A043498FDB66EF64D5687EDB7F6BF49204F100468D50AEB390DB758D01DB51
                                                            Function 020B6B99 Relevance: .1, Instructions: 70COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.1481076385.00000000020B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_20b0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 75fa3972bc92c4c28e87e6514fdf2a6312590a832aacc698b02cd74d495e1dde
                                                            • Instruction ID: f9feaea19fce7558cd1b7e901f3e5d0c28f1a58fed710115d6c8ba49b3b45d6f
                                                            • Opcode Fuzzy Hash: 75fa3972bc92c4c28e87e6514fdf2a6312590a832aacc698b02cd74d495e1dde
                                                            • Instruction Fuzzy Hash: B521FF303082919FC716AB7CA4647EEBBB6EFC6600F0084AED049CB246EE328C459781
                                                            Function 020B1878 Relevance: .1, Instructions: 70COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.1481076385.00000000020B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_20b0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: dd965b74687090ce675e2d21b1c962e9d34d924a33bdc98b26db4abbaa90dc7c
                                                            • Instruction ID: 6c14724bd6ddd58461333d1ebefe37f392ef6bee1582245a3ab4b312d9b1ac37
                                                            • Opcode Fuzzy Hash: dd965b74687090ce675e2d21b1c962e9d34d924a33bdc98b26db4abbaa90dc7c
                                                            • Instruction Fuzzy Hash: 0F212A307003498FDB66EB64C5687EEB7F6AF89205F200468D50AEB390DB768D01DBA1
                                                            Function 020B9F90 Relevance: .1, Instructions: 70COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.1481076385.00000000020B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_20b0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 40380c6d50b93b3fc3ba13eb109180e9b49432aace72fbff2f8c88775218aa38
                                                            • Instruction ID: 59d7acbcb164a36e0163206ae547d9fedcf92bd7fa39816a895a90638291eb55
                                                            • Opcode Fuzzy Hash: 40380c6d50b93b3fc3ba13eb109180e9b49432aace72fbff2f8c88775218aa38
                                                            • Instruction Fuzzy Hash: 84215030E1071A9BDB2ACFA5C454ADEB7B2BF89310F10861AE915FB350DB71A845CB50
                                                            Function 020B16A0 Relevance: .1, Instructions: 69COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.1481076385.00000000020B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_20b0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 88fc59d1066e89ffc3d39f29ae25df740b801227f0d44d83f8f3cc4ea360f14c
                                                            • Instruction ID: 8bca41b64a3a7435123c3558a5ee59c1292637f61cda160723095390fc493cce
                                                            • Opcode Fuzzy Hash: 88fc59d1066e89ffc3d39f29ae25df740b801227f0d44d83f8f3cc4ea360f14c
                                                            • Instruction Fuzzy Hash: 4E21C6346103058FDF63EB28F898B9E77A6FF88251F10A925E50AC7659DB30D9808B91
                                                            Function 020B4F88 Relevance: .1, Instructions: 68COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.1481076385.00000000020B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_20b0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 642f87b38f87e188a73b894653c59c55725538867c2f1c4da28192591695d988
                                                            • Instruction ID: 73996025b10ced14b8a2dd7cdb100689542e976b65e7f61845f719cccecd4418
                                                            • Opcode Fuzzy Hash: 642f87b38f87e188a73b894653c59c55725538867c2f1c4da28192591695d988
                                                            • Instruction Fuzzy Hash: 3F213930710209CFDB65EF78D558A9D7BF2AF88304B1044A9E50AEB3A4DB719D00DB90
                                                            Function 020B0838 Relevance: .1, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.1481076385.00000000020B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_20b0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f716e5ef3236f5bd3ea40177057e374782a41bba18a04e7fc4d29b11c98063fb
                                                            • Instruction ID: 50a06b646a8e661515c1dae9758454bba64c1ba0c562abba0875aef694e39a80
                                                            • Opcode Fuzzy Hash: f716e5ef3236f5bd3ea40177057e374782a41bba18a04e7fc4d29b11c98063fb
                                                            • Instruction Fuzzy Hash: 52116D30A043495BEF775A74D8443BB37A7FF86254F10893AD042CB682DB21CA819BD2
                                                            Function 020B0848 Relevance: .1, Instructions: 62COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.1481076385.00000000020B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_20b0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: eac784aee5478d04e44c79b5ee909d2de13fb175a8f2e1757625d155bbb19c1a
                                                            • Instruction ID: 10ca3352b0f1ddbfb8ad79854e027de1dc798bbb2bd3babbdb9582e7213f495e
                                                            • Opcode Fuzzy Hash: eac784aee5478d04e44c79b5ee909d2de13fb175a8f2e1757625d155bbb19c1a
                                                            • Instruction Fuzzy Hash: BA116A30B003099BEFB7AA79D8443AB32D7FF89654F208939D146CB655DB21CA819BC1
                                                            Function 020B1488 Relevance: .1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.1481076385.00000000020B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_20b0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4e873ba1767a2dc8846f59aa00f8a299b8ae032e151d456347699b69377b3b33
                                                            • Instruction ID: edaa7c9a4bf27e7d9bcbd493a9f0ff17a16ecef4466516cd8191fc95bced0d32
                                                            • Opcode Fuzzy Hash: 4e873ba1767a2dc8846f59aa00f8a299b8ae032e151d456347699b69377b3b33
                                                            • Instruction Fuzzy Hash: 65011B31E003158FCB72AFB884542EEBBF6AF49350F24047AD809E7200E735C8419B95
                                                            Function 020BA6C0 Relevance: .0, Instructions: 50COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.1481076385.00000000020B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_20b0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7d8f79ff56ce50fdf74d6cd7c1e66d135f4fa1aa3aa79f46772cbaba58448434
                                                            • Instruction ID: e0b78036d1635c66307a39676b696147a516cdb478d053f62b2908f0668f7d70
                                                            • Opcode Fuzzy Hash: 7d8f79ff56ce50fdf74d6cd7c1e66d135f4fa1aa3aa79f46772cbaba58448434
                                                            • Instruction Fuzzy Hash: 3C01C030A003058FDB15EF99D98478ABBA6FFD4311F54C224D8081B299EB71ED46CBA1
                                                            Function 020B7EA8 Relevance: .0, Instructions: 38COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.1481076385.00000000020B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_20b0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 94de36d079b774e3b7091f082d049bbf5a095d56cc6c6f8a8e8a08929f5cb975
                                                            • Instruction ID: 6864fad53c0cbcc2852ac6cb61a9a18eda69df4fb3115017742f364aec911b0c
                                                            • Opcode Fuzzy Hash: 94de36d079b774e3b7091f082d049bbf5a095d56cc6c6f8a8e8a08929f5cb975
                                                            • Instruction Fuzzy Hash: F8012835B40204CFCB65DB74D458BAD77F2EF88315F1508A4E4069B3A0CB31AE82CB40
                                                            Function 020B8F20 Relevance: .0, Instructions: 37COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.1481076385.00000000020B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_20b0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: da44e7c26dd9507b9e1e1b36b98389686f383cef9a1924e89d23c83b0cf79dd4
                                                            • Instruction ID: 168ab0e7c37a4a3ce1eb994c04df29c8820137b57b61a3c1c9438ce6a7c5c151
                                                            • Opcode Fuzzy Hash: da44e7c26dd9507b9e1e1b36b98389686f383cef9a1924e89d23c83b0cf79dd4
                                                            • Instruction Fuzzy Hash: 5B018F30900319EFCB41FFA4F89469D7BB1BF84240F609AB9C5059B244EA326F049B82
                                                            Function 020B8F30 Relevance: .0, Instructions: 33COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.1481076385.00000000020B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_20b0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cead3d12db2a25e7b4068dff71f73e65433971d7388a0d80eb6ad1736e68d17f
                                                            • Instruction ID: 82a064c75b67d2a071bfb56bd4c71c42ee350a1ba5eb1b4671fec7907427f607
                                                            • Opcode Fuzzy Hash: cead3d12db2a25e7b4068dff71f73e65433971d7388a0d80eb6ad1736e68d17f
                                                            • Instruction Fuzzy Hash: 5BF0313090031AEFDB41FFA4F98469D7BB1BB84640F5096A9C50897258EB322F049B82

                                                            Execution Graph

                                                            Execution Coverage:9.3%
                                                            Dynamic/Decrypted Code Coverage:100%
                                                            Signature Coverage:0%
                                                            Total number of Nodes:184
                                                            Total number of Limit Nodes:11
                                                            execution_graph 28017 a2d3c0 28018 a2d406 GetCurrentProcess 28017->28018 28020 a2d451 28018->28020 28021 a2d458 GetCurrentThread 28018->28021 28020->28021 28022 a2d495 GetCurrentProcess 28021->28022 28024 a2d48e 28021->28024 28023 a2d4cb 28022->28023 28025 a2d4f3 GetCurrentThreadId 28023->28025 28024->28022 28026 a2d524 28025->28026 27993 a130040 27994 a1301cb 27993->27994 27995 a130066 27993->27995 27995->27994 27998 a1302c0 PostMessageW 27995->27998 28000 a1302b9 27995->28000 27999 a13032c 27998->27999 27999->27995 28001 a1302c0 PostMessageW 28000->28001 28002 a13032c 28001->28002 28002->27995 27972 a24668 27973 a2467a 27972->27973 27974 a24686 27973->27974 27976 a24778 27973->27976 27977 a2479d 27976->27977 27981 a24888 27977->27981 27985 a24879 27977->27985 27983 a248af 27981->27983 27982 a2498c 27982->27982 27983->27982 27989 a244c4 27983->27989 27987 a248af 27985->27987 27986 a2498c 27986->27986 27987->27986 27988 a244c4 CreateActCtxA 27987->27988 27988->27986 27990 a25918 CreateActCtxA 27989->27990 27992 a259db 27990->27992 28003 a2b038 28004 a2b047 28003->28004 28007 a2b120 28003->28007 28012 a2b130 28003->28012 28008 a2b164 28007->28008 28009 a2b141 28007->28009 28008->28004 28009->28008 28010 a2b368 GetModuleHandleW 28009->28010 28011 a2b395 28010->28011 28011->28004 28013 a2b164 28012->28013 28014 a2b141 28012->28014 28013->28004 28014->28013 28015 a2b368 GetModuleHandleW 28014->28015 28016 a2b395 28015->28016 28016->28004 28027 a2d608 DuplicateHandle 28028 a2d69e 28027->28028 28029 573d058 28030 573d06b 28029->28030 28031 573d322 28029->28031 28034 573eea1 28030->28034 28052 573eeb0 28030->28052 28035 573eeb0 28034->28035 28036 573eed2 28035->28036 28070 573f9d1 28035->28070 28075 573f6ad 28035->28075 28080 573f3ed 28035->28080 28088 573f28e 28035->28088 28093 573faa9 28035->28093 28101 573f3c9 28035->28101 28109 573f62a 28035->28109 28114 573f461 28035->28114 28122 573f8be 28035->28122 28126 573f5be 28035->28126 28131 573f4b8 28035->28131 28136 573f538 28035->28136 28140 573fc34 28035->28140 28144 573f675 28035->28144 28149 573f915 28035->28149 28036->28031 28053 573eeb6 28052->28053 28054 573eed2 28053->28054 28055 573f9d1 2 API calls 28053->28055 28056 573f915 4 API calls 28053->28056 28057 573f675 2 API calls 28053->28057 28058 573fc34 2 API calls 28053->28058 28059 573f538 2 API calls 28053->28059 28060 573f4b8 2 API calls 28053->28060 28061 573f5be 2 API calls 28053->28061 28062 573f8be 2 API calls 28053->28062 28063 573f461 4 API calls 28053->28063 28064 573f62a 2 API calls 28053->28064 28065 573f3c9 4 API calls 28053->28065 28066 573faa9 4 API calls 28053->28066 28067 573f28e 2 API calls 28053->28067 28068 573f3ed 4 API calls 28053->28068 28069 573f6ad 2 API calls 28053->28069 28054->28031 28055->28054 28056->28054 28057->28054 28058->28054 28059->28054 28060->28054 28061->28054 28062->28054 28063->28054 28064->28054 28065->28054 28066->28054 28067->28054 28068->28054 28069->28054 28071 573f641 28070->28071 28072 573f5d0 28071->28072 28157 573c322 28071->28157 28162 573c328 28071->28162 28072->28036 28076 573f6b3 28075->28076 28166 573ca91 28076->28166 28170 573ca98 28076->28170 28077 573f6d6 28082 573f3c9 28080->28082 28081 573f929 28183 573c3d7 28081->28183 28187 573c3d8 28081->28187 28082->28081 28174 573c9a0 28082->28174 28179 573c9a8 28082->28179 28083 573fc53 28089 573f2ad 28088->28089 28191 573cc30 28089->28191 28195 573cc24 28089->28195 28094 573f3c9 28093->28094 28095 573f929 28094->28095 28097 573c9a0 WriteProcessMemory 28094->28097 28098 573c9a8 WriteProcessMemory 28094->28098 28099 573c3d7 Wow64SetThreadContext 28095->28099 28100 573c3d8 Wow64SetThreadContext 28095->28100 28096 573fc53 28097->28094 28098->28094 28099->28096 28100->28096 28104 573f3d5 28101->28104 28102 573f929 28105 573c3d7 Wow64SetThreadContext 28102->28105 28106 573c3d8 Wow64SetThreadContext 28102->28106 28103 573fc53 28104->28101 28104->28102 28107 573c9a0 WriteProcessMemory 28104->28107 28108 573c9a8 WriteProcessMemory 28104->28108 28105->28103 28106->28103 28107->28104 28108->28104 28110 573f630 28109->28110 28112 573c322 ResumeThread 28110->28112 28113 573c328 ResumeThread 28110->28113 28111 573f5d0 28111->28036 28112->28111 28113->28111 28115 573f3c9 28114->28115 28115->28114 28116 573f929 28115->28116 28118 573c9a0 WriteProcessMemory 28115->28118 28119 573c9a8 WriteProcessMemory 28115->28119 28120 573c3d7 Wow64SetThreadContext 28116->28120 28121 573c3d8 Wow64SetThreadContext 28116->28121 28117 573fc53 28118->28115 28119->28115 28120->28117 28121->28117 28199 573c8e0 28122->28199 28203 573c8e8 28122->28203 28123 573f8dc 28127 573f537 28126->28127 28128 573f552 28126->28128 28129 573c3d7 Wow64SetThreadContext 28127->28129 28130 573c3d8 Wow64SetThreadContext 28127->28130 28128->28036 28129->28128 28130->28128 28132 573f4db 28131->28132 28134 573c9a0 WriteProcessMemory 28132->28134 28135 573c9a8 WriteProcessMemory 28132->28135 28133 573f8ab 28133->28036 28134->28133 28135->28133 28138 573c3d7 Wow64SetThreadContext 28136->28138 28139 573c3d8 Wow64SetThreadContext 28136->28139 28137 573f552 28137->28036 28137->28137 28138->28137 28139->28137 28141 573fc53 28140->28141 28142 573c3d7 Wow64SetThreadContext 28140->28142 28143 573c3d8 Wow64SetThreadContext 28140->28143 28142->28141 28143->28141 28145 573f67e 28144->28145 28147 573c9a0 WriteProcessMemory 28145->28147 28148 573c9a8 WriteProcessMemory 28145->28148 28146 573f7d2 28147->28146 28148->28146 28152 573f3c9 28149->28152 28150 573f929 28153 573c3d7 Wow64SetThreadContext 28150->28153 28154 573c3d8 Wow64SetThreadContext 28150->28154 28151 573fc53 28152->28150 28155 573c9a0 WriteProcessMemory 28152->28155 28156 573c9a8 WriteProcessMemory 28152->28156 28153->28151 28154->28151 28155->28152 28156->28152 28158 573c307 28157->28158 28159 573c327 ResumeThread 28157->28159 28158->28072 28161 573c399 28159->28161 28161->28072 28163 573c368 ResumeThread 28162->28163 28165 573c399 28163->28165 28165->28072 28167 573ca98 ReadProcessMemory 28166->28167 28169 573cb27 28167->28169 28169->28077 28171 573ca9e ReadProcessMemory 28170->28171 28173 573cb27 28171->28173 28173->28077 28175 573c987 28174->28175 28176 573c9a7 WriteProcessMemory 28174->28176 28175->28082 28178 573ca47 28176->28178 28178->28082 28180 573c9f0 WriteProcessMemory 28179->28180 28182 573ca47 28180->28182 28182->28082 28184 573c3d8 Wow64SetThreadContext 28183->28184 28186 573c465 28184->28186 28186->28083 28188 573c41d Wow64SetThreadContext 28187->28188 28190 573c465 28188->28190 28190->28083 28192 573ccb9 28191->28192 28192->28192 28193 573ce1e CreateProcessA 28192->28193 28194 573ce7b 28193->28194 28196 573cc2a 28195->28196 28196->28196 28197 573ce1e CreateProcessA 28196->28197 28198 573ce7b 28197->28198 28200 573c928 VirtualAllocEx 28199->28200 28202 573c965 28200->28202 28202->28123 28204 573c928 VirtualAllocEx 28203->28204 28206 573c965 28204->28206 28206->28123

                                                            Executed Functions

                                                            Function 00A2D3B0 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetCurrentProcess.KERNEL32 ref: 00A2D43E
                                                            • GetCurrentThread.KERNEL32 ref: 00A2D47B
                                                            • GetCurrentProcess.KERNEL32 ref: 00A2D4B8
                                                            • GetCurrentThreadId.KERNEL32 ref: 00A2D511
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1506762827.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_a20000_rjBdvmaV.jbxd
                                                            Similarity
                                                            • API ID: Current$ProcessThread
                                                            • String ID:
                                                            • API String ID: 2063062207-0
                                                            • Opcode ID: 1890914397dbdbc985024275188a03dadd9c4b902eecbdfe6305cf20bf7d216d
                                                            • Instruction ID: 953bc4e872d572a2833ad2949d7d1be6305d4f84b6c79818644cbbfda225d416
                                                            • Opcode Fuzzy Hash: 1890914397dbdbc985024275188a03dadd9c4b902eecbdfe6305cf20bf7d216d
                                                            • Instruction Fuzzy Hash: EB5156B09003498FEB14EFAAD548B9EBBF1FF88314F208469E419A7351D774A944CF65
                                                            Function 00A2D3C0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetCurrentProcess.KERNEL32 ref: 00A2D43E
                                                            • GetCurrentThread.KERNEL32 ref: 00A2D47B
                                                            • GetCurrentProcess.KERNEL32 ref: 00A2D4B8
                                                            • GetCurrentThreadId.KERNEL32 ref: 00A2D511
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1506762827.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_a20000_rjBdvmaV.jbxd
                                                            Similarity
                                                            • API ID: Current$ProcessThread
                                                            • String ID:
                                                            • API String ID: 2063062207-0
                                                            • Opcode ID: 3d8c0bc2ddbeedd0256cd4fdf512b7392dd2a28e979189e7011f6c50d99d30b7
                                                            • Instruction ID: b383dc3fca466761e876cf3f9ab7eb5215d4b943773980adcfb37dd74842cca6
                                                            • Opcode Fuzzy Hash: 3d8c0bc2ddbeedd0256cd4fdf512b7392dd2a28e979189e7011f6c50d99d30b7
                                                            • Instruction Fuzzy Hash: D95157B09003498FEB14EFAAD548B9EBBF1FF88314F208469E419A7351D774A944CF66
                                                            Function 00A2B130 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 195COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 44 a2b130-a2b13f 45 a2b141-a2b14e call a2aaf4 44->45 46 a2b16b-a2b16f 44->46 53 a2b150 45->53 54 a2b164 45->54 47 a2b183-a2b1c4 46->47 48 a2b171-a2b17b 46->48 55 a2b1d1-a2b1df 47->55 56 a2b1c6-a2b1ce 47->56 48->47 99 a2b156 call a2b3ba 53->99 100 a2b156 call a2b3c8 53->100 54->46 57 a2b203-a2b205 55->57 58 a2b1e1-a2b1e6 55->58 56->55 60 a2b208-a2b20f 57->60 61 a2b1f1 58->61 62 a2b1e8-a2b1ef call a2ab00 58->62 59 a2b15c-a2b15e 59->54 63 a2b2a0-a2b360 59->63 64 a2b211-a2b219 60->64 65 a2b21c-a2b223 60->65 66 a2b1f3-a2b201 61->66 62->66 94 a2b362-a2b365 63->94 95 a2b368-a2b393 GetModuleHandleW 63->95 64->65 69 a2b230-a2b239 call a2ab10 65->69 70 a2b225-a2b22d 65->70 66->60 75 a2b246-a2b24b 69->75 76 a2b23b-a2b243 69->76 70->69 78 a2b269-a2b276 75->78 79 a2b24d-a2b254 75->79 76->75 84 a2b278-a2b296 78->84 85 a2b299-a2b29f 78->85 79->78 80 a2b256-a2b266 call a2ab20 call a2ab30 79->80 80->78 84->85 94->95 96 a2b395-a2b39b 95->96 97 a2b39c-a2b3b0 95->97 96->97 99->59 100->59
                                                            APIs
                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 00A2B386
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1506762827.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_a20000_rjBdvmaV.jbxd
                                                            Similarity
                                                            • API ID: HandleModule
                                                            • String ID: 0O}$0O}
                                                            • API String ID: 4139908857-2553111897
                                                            • Opcode ID: b7c2dabe9f41f1b2ff29cb1e5c497b56905182f30a7b22ca646665ff088e5bd2
                                                            • Instruction ID: 852097ab773712f6e037615b60ba733332cf26efd6fe952059a51741373acae8
                                                            • Opcode Fuzzy Hash: b7c2dabe9f41f1b2ff29cb1e5c497b56905182f30a7b22ca646665ff088e5bd2
                                                            • Instruction Fuzzy Hash: 5A714470A10B158FD724DF6AE55579ABBF1FF88300F008A2ED48ADBA50D774E845CBA1
                                                            Function 0573CC24 Relevance: 1.7, APIs: 1, Instructions: 249processCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 154 573cc24-573cc28 155 573cc2b-573ccc5 154->155 156 573cc2a 154->156 158 573ccc7-573ccd1 155->158 159 573ccfe-573cd1e 155->159 156->155 158->159 160 573ccd3-573ccd5 158->160 166 573cd20-573cd2a 159->166 167 573cd57-573cd86 159->167 161 573ccd7-573cce1 160->161 162 573ccf8-573ccfb 160->162 164 573cce3 161->164 165 573cce5-573ccf4 161->165 162->159 164->165 165->165 168 573ccf6 165->168 166->167 169 573cd2c-573cd2e 166->169 173 573cd88-573cd92 167->173 174 573cdbf-573ce79 CreateProcessA 167->174 168->162 171 573cd51-573cd54 169->171 172 573cd30-573cd3a 169->172 171->167 175 573cd3e-573cd4d 172->175 176 573cd3c 172->176 173->174 178 573cd94-573cd96 173->178 187 573ce82-573cf08 174->187 188 573ce7b-573ce81 174->188 175->175 177 573cd4f 175->177 176->175 177->171 179 573cdb9-573cdbc 178->179 180 573cd98-573cda2 178->180 179->174 182 573cda6-573cdb5 180->182 183 573cda4 180->183 182->182 185 573cdb7 182->185 183->182 185->179 198 573cf0a-573cf0e 187->198 199 573cf18-573cf1c 187->199 188->187 198->199 200 573cf10 198->200 201 573cf1e-573cf22 199->201 202 573cf2c-573cf30 199->202 200->199 201->202 203 573cf24 201->203 204 573cf32-573cf36 202->204 205 573cf40-573cf44 202->205 203->202 204->205 206 573cf38 204->206 207 573cf56-573cf5d 205->207 208 573cf46-573cf4c 205->208 206->205 209 573cf74 207->209 210 573cf5f-573cf6e 207->210 208->207 212 573cf75 209->212 210->209 212->212
                                                            APIs
                                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0573CE66
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1512633716.0000000005730000.00000040.00000800.00020000.00000000.sdmp, Offset: 05730000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_5730000_rjBdvmaV.jbxd
                                                            Similarity
                                                            • API ID: CreateProcess
                                                            • String ID:
                                                            • API String ID: 963392458-0
                                                            • Opcode ID: d7ba43585acf216c14a734b2100f1615b4eb439fd224cf545441b8cf795e3e0b
                                                            • Instruction ID: f956d358f0534d327a431a03ff7929f89358558a2c9de292c409ded9f540b155
                                                            • Opcode Fuzzy Hash: d7ba43585acf216c14a734b2100f1615b4eb439fd224cf545441b8cf795e3e0b
                                                            • Instruction Fuzzy Hash: 35A17D71D003199FEB21DF68C842BEEBBB6BF44320F148169E809B7281DB759985DF91
                                                            Function 0573CC30 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 213 573cc30-573ccc5 215 573ccc7-573ccd1 213->215 216 573ccfe-573cd1e 213->216 215->216 217 573ccd3-573ccd5 215->217 223 573cd20-573cd2a 216->223 224 573cd57-573cd86 216->224 218 573ccd7-573cce1 217->218 219 573ccf8-573ccfb 217->219 221 573cce3 218->221 222 573cce5-573ccf4 218->222 219->216 221->222 222->222 225 573ccf6 222->225 223->224 226 573cd2c-573cd2e 223->226 230 573cd88-573cd92 224->230 231 573cdbf-573ce79 CreateProcessA 224->231 225->219 228 573cd51-573cd54 226->228 229 573cd30-573cd3a 226->229 228->224 232 573cd3e-573cd4d 229->232 233 573cd3c 229->233 230->231 235 573cd94-573cd96 230->235 244 573ce82-573cf08 231->244 245 573ce7b-573ce81 231->245 232->232 234 573cd4f 232->234 233->232 234->228 236 573cdb9-573cdbc 235->236 237 573cd98-573cda2 235->237 236->231 239 573cda6-573cdb5 237->239 240 573cda4 237->240 239->239 242 573cdb7 239->242 240->239 242->236 255 573cf0a-573cf0e 244->255 256 573cf18-573cf1c 244->256 245->244 255->256 257 573cf10 255->257 258 573cf1e-573cf22 256->258 259 573cf2c-573cf30 256->259 257->256 258->259 260 573cf24 258->260 261 573cf32-573cf36 259->261 262 573cf40-573cf44 259->262 260->259 261->262 263 573cf38 261->263 264 573cf56-573cf5d 262->264 265 573cf46-573cf4c 262->265 263->262 266 573cf74 264->266 267 573cf5f-573cf6e 264->267 265->264 269 573cf75 266->269 267->266 269->269
                                                            APIs
                                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0573CE66
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1512633716.0000000005730000.00000040.00000800.00020000.00000000.sdmp, Offset: 05730000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_5730000_rjBdvmaV.jbxd
                                                            Similarity
                                                            • API ID: CreateProcess
                                                            • String ID:
                                                            • API String ID: 963392458-0
                                                            • Opcode ID: 93c422bbaba8284e51a0acb5d06e4588ced2509830fb4d7526eb5fe6a97be860
                                                            • Instruction ID: 27de11e5bb70e40f7ccf53f081fc4a9067f8a27b3b5a4df57a604198adbbdf17
                                                            • Opcode Fuzzy Hash: 93c422bbaba8284e51a0acb5d06e4588ced2509830fb4d7526eb5fe6a97be860
                                                            • Instruction Fuzzy Hash: 55916D71D003299FEB11DF68C842BEEBBB6BF44320F148169E809B7241DB759985DF91
                                                            Function 00A2590D Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 270 a2590d-a259d9 CreateActCtxA 272 a259e2-a25a3c 270->272 273 a259db-a259e1 270->273 280 a25a4b-a25a4f 272->280 281 a25a3e-a25a41 272->281 273->272 282 a25a60 280->282 283 a25a51-a25a5d 280->283 281->280 285 a25a61 282->285 283->282 285->285
                                                            APIs
                                                            • CreateActCtxA.KERNEL32(?), ref: 00A259C9
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1506762827.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_a20000_rjBdvmaV.jbxd
                                                            Similarity
                                                            • API ID: Create
                                                            • String ID:
                                                            • API String ID: 2289755597-0
                                                            • Opcode ID: 72bbade2301437355ee61e90e5c8bd13dff4e81ac06ad9c5c35c0ddc938007eb
                                                            • Instruction ID: 795d39683b2f67fe297539c2e10a43f3f72d7e17bad33a8e4ab17120d264c423
                                                            • Opcode Fuzzy Hash: 72bbade2301437355ee61e90e5c8bd13dff4e81ac06ad9c5c35c0ddc938007eb
                                                            • Instruction Fuzzy Hash: A241E171C0171DCFEB24DFAAC88579EBBB5BF89714F20816AD408AB250DB716946CF50
                                                            Function 00A244C4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 286 a244c4-a259d9 CreateActCtxA 289 a259e2-a25a3c 286->289 290 a259db-a259e1 286->290 297 a25a4b-a25a4f 289->297 298 a25a3e-a25a41 289->298 290->289 299 a25a60 297->299 300 a25a51-a25a5d 297->300 298->297 302 a25a61 299->302 300->299 302->302
                                                            APIs
                                                            • CreateActCtxA.KERNEL32(?), ref: 00A259C9
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1506762827.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_a20000_rjBdvmaV.jbxd
                                                            Similarity
                                                            • API ID: Create
                                                            • String ID:
                                                            • API String ID: 2289755597-0
                                                            • Opcode ID: 8cf541da8c190659365766e04ba3ab2b27e5166371bd2ea1860464861f5c6070
                                                            • Instruction ID: 8550f197753accd96b789cfb49f839f5b51b917f1c5eba57788e778f83580e08
                                                            • Opcode Fuzzy Hash: 8cf541da8c190659365766e04ba3ab2b27e5166371bd2ea1860464861f5c6070
                                                            • Instruction Fuzzy Hash: B241E170C0072DCFDB24DFAAC88579EBBB5BF88714F60816AD408AB251DB716945CF90
                                                            Function 0573C9A0 Relevance: 1.6, APIs: 1, Instructions: 82injectionCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 303 573c9a0-573c9a5 304 573c987-573c991 303->304 305 573c9a7-573c9f6 303->305 308 573ca06-573ca45 WriteProcessMemory 305->308 309 573c9f8-573ca04 305->309 311 573ca47-573ca4d 308->311 312 573ca4e-573ca7e 308->312 309->308 311->312
                                                            APIs
                                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0573CA38
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1512633716.0000000005730000.00000040.00000800.00020000.00000000.sdmp, Offset: 05730000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_5730000_rjBdvmaV.jbxd
                                                            Similarity
                                                            • API ID: MemoryProcessWrite
                                                            • String ID:
                                                            • API String ID: 3559483778-0
                                                            • Opcode ID: 5f4fc17c8c7a3e64af03c8cb53dfd2d517fed33282b4e8ad8f97303da53eb43c
                                                            • Instruction ID: 1367af3b25dc10132480511b0e6da4ab86b47ecf61baa25d3d406df1ba02500d
                                                            • Opcode Fuzzy Hash: 5f4fc17c8c7a3e64af03c8cb53dfd2d517fed33282b4e8ad8f97303da53eb43c
                                                            • Instruction Fuzzy Hash: 93317A759003599FDB10CFAAD842BDEBBF9FF88320F10842AE959A7241D7749950DBA0
                                                            Function 0573C9A8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 316 573c9a8-573c9f6 318 573ca06-573ca45 WriteProcessMemory 316->318 319 573c9f8-573ca04 316->319 321 573ca47-573ca4d 318->321 322 573ca4e-573ca7e 318->322 319->318 321->322
                                                            APIs
                                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0573CA38
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1512633716.0000000005730000.00000040.00000800.00020000.00000000.sdmp, Offset: 05730000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_5730000_rjBdvmaV.jbxd
                                                            Similarity
                                                            • API ID: MemoryProcessWrite
                                                            • String ID:
                                                            • API String ID: 3559483778-0
                                                            • Opcode ID: a798ec619dcdc4b6a0eb1e0d048dff801637264350195000639802dbae3655f4
                                                            • Instruction ID: 9f14294c8b366ee61ead872f2dffc1090b618ff2df9010caff4dba4758d7a5a1
                                                            • Opcode Fuzzy Hash: a798ec619dcdc4b6a0eb1e0d048dff801637264350195000639802dbae3655f4
                                                            • Instruction Fuzzy Hash: 312155719003599FDB10CFAAC881BDEBBF5FF48320F10842AE919A7240D7789940DBA0
                                                            Function 0573CA91 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 326 573ca91-573ca96 327 573ca98-573ca9d 326->327 328 573ca9e-573cb25 ReadProcessMemory 326->328 327->328 331 573cb27-573cb2d 328->331 332 573cb2e-573cb5e 328->332 331->332
                                                            APIs
                                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0573CB18
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1512633716.0000000005730000.00000040.00000800.00020000.00000000.sdmp, Offset: 05730000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_5730000_rjBdvmaV.jbxd
                                                            Similarity
                                                            • API ID: MemoryProcessRead
                                                            • String ID:
                                                            • API String ID: 1726664587-0
                                                            • Opcode ID: 221038be81e8dddf9dbc890fca42c0e50e01ba288a87511528c6a5446f8afab6
                                                            • Instruction ID: aa59aaf77b0a0824e26f91646bfe0cfcd3aef64664ab5b17f5170cfb04b52b08
                                                            • Opcode Fuzzy Hash: 221038be81e8dddf9dbc890fca42c0e50e01ba288a87511528c6a5446f8afab6
                                                            • Instruction Fuzzy Hash: 7221287180034D9FDB10DFAAC885BEEBBF9FF48320F50842AE559A7241D7799901DBA0
                                                            Function 0573C3D7 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 337 573c3d7-573c423 340 573c433-573c463 Wow64SetThreadContext 337->340 341 573c425-573c431 337->341 343 573c465-573c46b 340->343 344 573c46c-573c49c 340->344 341->340 343->344
                                                            APIs
                                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0573C456
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1512633716.0000000005730000.00000040.00000800.00020000.00000000.sdmp, Offset: 05730000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_5730000_rjBdvmaV.jbxd
                                                            Similarity
                                                            • API ID: ContextThreadWow64
                                                            • String ID:
                                                            • API String ID: 983334009-0
                                                            • Opcode ID: a070aef7c3cd87f768a79c0ac78f0c8e83e91cfaa9d1e48d561379e23f939dc9
                                                            • Instruction ID: c666fe329302809f8e8eea6b0bfe653713546278133cbc82bba519a52442df17
                                                            • Opcode Fuzzy Hash: a070aef7c3cd87f768a79c0ac78f0c8e83e91cfaa9d1e48d561379e23f939dc9
                                                            • Instruction Fuzzy Hash: EB2135719003098FDB10DFAAC485BEEBBF8AF88220F54842AD559A7241DB789945CFA0
                                                            Function 0573C3D8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 353 573c3d8-573c423 355 573c433-573c463 Wow64SetThreadContext 353->355 356 573c425-573c431 353->356 358 573c465-573c46b 355->358 359 573c46c-573c49c 355->359 356->355 358->359
                                                            APIs
                                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0573C456
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1512633716.0000000005730000.00000040.00000800.00020000.00000000.sdmp, Offset: 05730000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_5730000_rjBdvmaV.jbxd
                                                            Similarity
                                                            • API ID: ContextThreadWow64
                                                            • String ID:
                                                            • API String ID: 983334009-0
                                                            • Opcode ID: 0f0b5ad7b3ec21c9a0b3635d2d2f850c508d7f6a8a10fc247c8bb27cabc4f96e
                                                            • Instruction ID: 5cf218d3836c45b2f40f6a59889b573b2fedb7148d1d12b36ab73d9c55cd5948
                                                            • Opcode Fuzzy Hash: 0f0b5ad7b3ec21c9a0b3635d2d2f850c508d7f6a8a10fc247c8bb27cabc4f96e
                                                            • Instruction Fuzzy Hash: FC2115719003098FDB10DFAAC4857AEBBF8AF88224F54842AD559A7241DB789945CFA4
                                                            Function 0573CA98 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 363 573ca98-573cb25 ReadProcessMemory 367 573cb27-573cb2d 363->367 368 573cb2e-573cb5e 363->368 367->368
                                                            APIs
                                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0573CB18
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1512633716.0000000005730000.00000040.00000800.00020000.00000000.sdmp, Offset: 05730000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_5730000_rjBdvmaV.jbxd
                                                            Similarity
                                                            • API ID: MemoryProcessRead
                                                            • String ID:
                                                            • API String ID: 1726664587-0
                                                            • Opcode ID: 533dc2907cfcef5156c9d06245d112c999acb3ca4e9a5ad353f1f79cd5b3bb5f
                                                            • Instruction ID: e94ee1e6f915f19cbe2b91dc80c56ba19be2f9115a197b10b6019b0f8c764064
                                                            • Opcode Fuzzy Hash: 533dc2907cfcef5156c9d06245d112c999acb3ca4e9a5ad353f1f79cd5b3bb5f
                                                            • Instruction Fuzzy Hash: B221257180034D9FDB10DFAAC881BEEBBF5FF48320F50842AE959A7240D7789900DBA0
                                                            Function 00A2D600 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 348 a2d600-a2d69c DuplicateHandle 349 a2d6a5-a2d6c2 348->349 350 a2d69e-a2d6a4 348->350 350->349
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00A2D68F
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1506762827.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_a20000_rjBdvmaV.jbxd
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: ca5ca68f3b61b4e99d7e46ac4fde2d0039574ce33e7e262088feeb3abe0a0236
                                                            • Instruction ID: e38a2d40c1c74d99fc0e3619fb29a4c51b43747e2672e911cb8df0aca460926e
                                                            • Opcode Fuzzy Hash: ca5ca68f3b61b4e99d7e46ac4fde2d0039574ce33e7e262088feeb3abe0a0236
                                                            • Instruction Fuzzy Hash: 6121E2B5900259DFDB10CFAAD984ADEBBF5FB48320F14842AE958A7350D378A950CF64
                                                            Function 00A2D608 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00A2D68F
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1506762827.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_a20000_rjBdvmaV.jbxd
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: 5fbd51f33b2db61bc58eee05b189649ffedd37de53fac11eb9d261dc66f7113e
                                                            • Instruction ID: b116650509b2782d820584806094598ced6babbb9edaaf211f790a3a9ad5fd68
                                                            • Opcode Fuzzy Hash: 5fbd51f33b2db61bc58eee05b189649ffedd37de53fac11eb9d261dc66f7113e
                                                            • Instruction Fuzzy Hash: 6A21F5B59003499FDB10CFAAD984ADEFBF8FB48310F14841AE958A3350D378A950CF64
                                                            Function 0573C322 Relevance: 1.6, APIs: 1, Instructions: 57threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1512633716.0000000005730000.00000040.00000800.00020000.00000000.sdmp, Offset: 05730000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_5730000_rjBdvmaV.jbxd
                                                            Similarity
                                                            • API ID: ResumeThread
                                                            • String ID:
                                                            • API String ID: 947044025-0
                                                            • Opcode ID: 45c6b83cba284da2b20756713b4bdcc47bde06b9bc80bceeca79a10bf0fc9ec0
                                                            • Instruction ID: a5ed32eb9c1bc57998b3556248b7384f7545f8a837701c32c52e234c669337e3
                                                            • Opcode Fuzzy Hash: 45c6b83cba284da2b20756713b4bdcc47bde06b9bc80bceeca79a10bf0fc9ec0
                                                            • Instruction Fuzzy Hash: 621179718003498FDB20DFAAC4467EFFBF8EF88224F14841DD559A7240CB79A941CBA6
                                                            Function 0573C8E0 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0573C956
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1512633716.0000000005730000.00000040.00000800.00020000.00000000.sdmp, Offset: 05730000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_5730000_rjBdvmaV.jbxd
                                                            Similarity
                                                            • API ID: AllocVirtual
                                                            • String ID:
                                                            • API String ID: 4275171209-0
                                                            • Opcode ID: 74e01009036ba90ad156723c56c5348068dbab016427d3ea41d1c63ae45fe8fa
                                                            • Instruction ID: 7d996a4de94955234fe92e0cddf0df8072f801b8b9f89385124dd5f5be451bbb
                                                            • Opcode Fuzzy Hash: 74e01009036ba90ad156723c56c5348068dbab016427d3ea41d1c63ae45fe8fa
                                                            • Instruction Fuzzy Hash: 551167758003498FDB10DFAAC845BDFBBF5AF88320F108419E959A7240C7359901DFA0
                                                            Function 0573C8E8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0573C956
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1512633716.0000000005730000.00000040.00000800.00020000.00000000.sdmp, Offset: 05730000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_5730000_rjBdvmaV.jbxd
                                                            Similarity
                                                            • API ID: AllocVirtual
                                                            • String ID:
                                                            • API String ID: 4275171209-0
                                                            • Opcode ID: 455a282e62c7d2e1eecf523bd8d6855f50ba5f721ee1e142ca364927b7c5848d
                                                            • Instruction ID: 9f77e950419d91fb11a389533b8c2a001236d9f483e10a8c9c84c599bf8ea302
                                                            • Opcode Fuzzy Hash: 455a282e62c7d2e1eecf523bd8d6855f50ba5f721ee1e142ca364927b7c5848d
                                                            • Instruction Fuzzy Hash: AC11567180034D8FDB10DFAAC845BDFBBF9AF88320F108419E559A7250C7759900CFA0
                                                            Function 0573C328 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1512633716.0000000005730000.00000040.00000800.00020000.00000000.sdmp, Offset: 05730000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_5730000_rjBdvmaV.jbxd
                                                            Similarity
                                                            • API ID: ResumeThread
                                                            • String ID:
                                                            • API String ID: 947044025-0
                                                            • Opcode ID: 6e34d153a138534dbd9a2abe968baaf4a9b2ad87ef53aefa89786a2138e17600
                                                            • Instruction ID: c7dcecadd56f3cbf12b9f74af224c07cd2e18566550db6788449cd33eb01c0dc
                                                            • Opcode Fuzzy Hash: 6e34d153a138534dbd9a2abe968baaf4a9b2ad87ef53aefa89786a2138e17600
                                                            • Instruction Fuzzy Hash: 001166718003498FDB20DFAAC4457DFFBF8AF88220F248419D419A7240CB79A904CFA4
                                                            Function 0A1302B9 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PostMessageW.USER32(?,?,?,?), ref: 0A13031D
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1514440134.000000000A130000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A130000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_a130000_rjBdvmaV.jbxd
                                                            Similarity
                                                            • API ID: MessagePost
                                                            • String ID:
                                                            • API String ID: 410705778-0
                                                            • Opcode ID: 56f176b1157b2873a556c6962ea2481fb5c2bd4c20417b465068d8d819d86e19
                                                            • Instruction ID: 0507cba28b08071187a69a46f091a27d9f6e3b2f5b56ec5e8c69896d9116d7d6
                                                            • Opcode Fuzzy Hash: 56f176b1157b2873a556c6962ea2481fb5c2bd4c20417b465068d8d819d86e19
                                                            • Instruction Fuzzy Hash: 631113B58003499FDB20DF9AD885BDFBBF8EB48310F10844AE958A3200C379A640CFA5
                                                            Function 00A2B320 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 00A2B386
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1506762827.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_a20000_rjBdvmaV.jbxd
                                                            Similarity
                                                            • API ID: HandleModule
                                                            • String ID:
                                                            • API String ID: 4139908857-0
                                                            • Opcode ID: e2f2ee54221716ed5162e75992f7cf16c2925b7ca7dacfef4909782119928290
                                                            • Instruction ID: 2939aebd570c43023613c4a83aa768914cf87d41584df6414dd61ee2a8d8af20
                                                            • Opcode Fuzzy Hash: e2f2ee54221716ed5162e75992f7cf16c2925b7ca7dacfef4909782119928290
                                                            • Instruction Fuzzy Hash: 691110B5C003498FCB20DF9AD444BDEFBF4AB88320F10842AD428A7610D379A945CFA1
                                                            Function 0A1302C0 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PostMessageW.USER32(?,?,?,?), ref: 0A13031D
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1514440134.000000000A130000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A130000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_a130000_rjBdvmaV.jbxd
                                                            Similarity
                                                            • API ID: MessagePost
                                                            • String ID:
                                                            • API String ID: 410705778-0
                                                            • Opcode ID: 61b47511b2738bd1acd8065d9882f0c0f6856de7da18556b67f9a64a46ef2d0e
                                                            • Instruction ID: 21f630e4511c372909457db50d2f33e20f46980741153284a8411e8fa229f933
                                                            • Opcode Fuzzy Hash: 61b47511b2738bd1acd8065d9882f0c0f6856de7da18556b67f9a64a46ef2d0e
                                                            • Instruction Fuzzy Hash: 2D1115B58003499FDB10DF9AC885BDEFBF8FB48320F108459D558A3200C379A944CFA5
                                                            Function 007BD3D8 Relevance: .1, Instructions: 75COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1505305397.00000000007BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007BD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7bd000_rjBdvmaV.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e6d8999cf3169916a63dca150576647141ec25e100c9957f4c00a8b80099b86f
                                                            • Instruction ID: a0d6d2d0fc8088a30995d11e09780237e258de5a2893bd4c5f786d9af59d2ed0
                                                            • Opcode Fuzzy Hash: e6d8999cf3169916a63dca150576647141ec25e100c9957f4c00a8b80099b86f
                                                            • Instruction Fuzzy Hash: 022145B1204384DFDB24DF00D9C4B56BB65FB98324F20C669EC090B246D33AEC46CBA2
                                                            Function 007BD4C4 Relevance: .1, Instructions: 75COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1505305397.00000000007BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007BD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7bd000_rjBdvmaV.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 245d92721c947885154ebd9368d86bc1e9fec592fde5f3c765d4d253b1c6af21
                                                            • Instruction ID: f23163346fed5395ac6f6ce0111cf0afad1bf6e097ca165492a5bb5f10f892e8
                                                            • Opcode Fuzzy Hash: 245d92721c947885154ebd9368d86bc1e9fec592fde5f3c765d4d253b1c6af21
                                                            • Instruction Fuzzy Hash: FB2103B1504244DFDB25DF14D9C4B66BF66FF88328F20C569E8090B256D33ADC66CBA2
                                                            Function 007DD01C Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1505436805.00000000007DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007DD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7dd000_rjBdvmaV.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c06106b89cdc33f82fe908cf638fbfdbc73bac6ad57fd8e42946d098b7c72a84
                                                            • Instruction ID: ccccbb0ff2ca60388836c29105b1ef7eb6d9610073f2f83c06be4501296038c8
                                                            • Opcode Fuzzy Hash: c06106b89cdc33f82fe908cf638fbfdbc73bac6ad57fd8e42946d098b7c72a84
                                                            • Instruction Fuzzy Hash: A221CFB56043049FDB24DF24D984B16BB65EBC8314F24C56AD84A4B386C37ADC46CA62
                                                            Function 007DD1D4 Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1505436805.00000000007DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007DD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7dd000_rjBdvmaV.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5ec2bbb39499474f8953b869e7d4e4763688d271636cde8373ab2a006384c252
                                                            • Instruction ID: 69d26fdb1d3a7374cb60f3262ff8b2eb5f18711d73265f5f7ef08f1108d1a3d7
                                                            • Opcode Fuzzy Hash: 5ec2bbb39499474f8953b869e7d4e4763688d271636cde8373ab2a006384c252
                                                            • Instruction Fuzzy Hash: 9A21D375604304AFDB15DF50D984B25BB75FB84314F20C56ED8494B392C33AEC46CA61
                                                            Function 007DD005 Relevance: .1, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1505436805.00000000007DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007DD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7dd000_rjBdvmaV.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7a002025771493d714df077da32e5e773313190f5d166891b5b57fb736ceab86
                                                            • Instruction ID: 39d54712b8707ebc4af21947f710180899a31e3084bee25487151b9c4c22cc38
                                                            • Opcode Fuzzy Hash: 7a002025771493d714df077da32e5e773313190f5d166891b5b57fb736ceab86
                                                            • Instruction Fuzzy Hash: 552150755083849FCB12CF24D994715BF71EB86314F28C5EAD8498F2A7C33A9C56CB62
                                                            Function 007BD4BF Relevance: .1, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1505305397.00000000007BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007BD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7bd000_rjBdvmaV.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                                            • Instruction ID: 7190e4c7d6d982d983546be817ac835987843860076d2be283f5fe89eb53c767
                                                            • Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                                            • Instruction Fuzzy Hash: 3F112676504280CFCB21CF10D5C4B56BF72FF84324F24C6A9D8490B256C33AD866CBA1
                                                            Function 007BD3D3 Relevance: .1, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1505305397.00000000007BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007BD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7bd000_rjBdvmaV.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                                            • Instruction ID: 7d7bfb4b49aa6feed2fc5f769e616fa456f1db46d05e40184df3e63510d7a71a
                                                            • Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                                            • Instruction Fuzzy Hash: 1711D376504280DFCB15CF14D5C4B56BF72FB94324F24C6A9DC490B656C33AE85ACBA2
                                                            Function 007DD1CF Relevance: .1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1505436805.00000000007DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007DD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7dd000_rjBdvmaV.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                                            • Instruction ID: a8d5254b4a43b0fe4f8bcf878777a8b7363bd3006f69a4ddcff97e434ff5ad39
                                                            • Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                                            • Instruction Fuzzy Hash: 57118B75504284DFCB15DF14D6C4B15BBB2FB84324F24C6AED8494B796C33AE84ACB61
                                                            Function 007BD759 Relevance: .0, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1505305397.00000000007BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007BD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7bd000_rjBdvmaV.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d7987e6f32d46a52884f97ec24775069a107907b578e6ab025fb3f75f4598bc7
                                                            • Instruction ID: e73d9e7ef8d08d365469d78a1071fabeb7594cb775031394d8b6868187d2241c
                                                            • Opcode Fuzzy Hash: d7987e6f32d46a52884f97ec24775069a107907b578e6ab025fb3f75f4598bc7
                                                            • Instruction Fuzzy Hash: 2C01A7710043449AE7305A26CC84BE6BB98EF51725F28C55AED094A286DB7D9C40C6B2
                                                            Function 007BD758 Relevance: .0, Instructions: 36COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1505305397.00000000007BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007BD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7bd000_rjBdvmaV.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4f1595be4980566492be0e2665dc5f8d05efcec01af259fce334c1ad5cee2112
                                                            • Instruction ID: 3f9bc5adc5c79c8ae5facfdea0bec63f43cd3e07e9763841504716f5672e0c6c
                                                            • Opcode Fuzzy Hash: 4f1595be4980566492be0e2665dc5f8d05efcec01af259fce334c1ad5cee2112
                                                            • Instruction Fuzzy Hash: 8EF062714043449EE7208A16DC84BA2FFA8EF51735F18C55AED094B286D779AC44CAB1

                                                            Execution Graph

                                                            Execution Coverage:12.3%
                                                            Dynamic/Decrypted Code Coverage:100%
                                                            Signature Coverage:0%
                                                            Total number of Nodes:43
                                                            Total number of Limit Nodes:4
                                                            execution_graph 27336 dc29a8 27338 dc29c4 27336->27338 27337 dc2ad4 27338->27337 27339 649da88 GlobalMemoryStatusEx 27338->27339 27340 649da98 GlobalMemoryStatusEx 27338->27340 27339->27338 27340->27338 27341 1110848 27343 111084e 27341->27343 27342 111091b 27343->27342 27346 111147a 27343->27346 27353 111136f 27343->27353 27347 1111386 27346->27347 27348 1111470 27347->27348 27352 111147a GlobalMemoryStatusEx 27347->27352 27360 1117d90 27347->27360 27364 1117d80 27347->27364 27368 1117ea8 27347->27368 27348->27343 27352->27347 27355 1111373 27353->27355 27354 1111470 27354->27343 27355->27354 27356 1117d90 GlobalMemoryStatusEx 27355->27356 27357 1117d80 GlobalMemoryStatusEx 27355->27357 27358 1117ea8 GlobalMemoryStatusEx 27355->27358 27359 111147a GlobalMemoryStatusEx 27355->27359 27356->27355 27357->27355 27358->27355 27359->27355 27362 1117da6 27360->27362 27361 1117f12 27361->27347 27362->27361 27375 649f2af 27362->27375 27366 1117da6 27364->27366 27365 1117f12 27365->27347 27366->27365 27367 649f2af GlobalMemoryStatusEx 27366->27367 27367->27365 27369 1117eb2 27368->27369 27371 1117ecc 27369->27371 27373 649da98 GlobalMemoryStatusEx 27369->27373 27383 649da88 27369->27383 27370 1117f12 27370->27347 27371->27370 27374 649f2af GlobalMemoryStatusEx 27371->27374 27373->27371 27374->27370 27376 649f2ba 27375->27376 27379 649da98 27376->27379 27378 649f2c1 27378->27361 27380 649daad 27379->27380 27381 649dcc2 27380->27381 27382 649dcd9 GlobalMemoryStatusEx 27380->27382 27381->27378 27382->27380 27384 649daad 27383->27384 27385 649dcc2 27384->27385 27386 649dcd9 GlobalMemoryStatusEx 27384->27386 27385->27371 27386->27384

                                                            Executed Functions

                                                            Function 0111AA22 Relevance: 2.7, Instructions: 2739COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3862218451.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_1110000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8319f310da8267fe8312bfef088869fe7d495b32de33956cf5b46581f4a21ff0
                                                            • Instruction ID: 3bd49dcb8b5f6ed33a52b3e7e6157ddb426ce3c3265c0a0035e7e786c70594af
                                                            • Opcode Fuzzy Hash: 8319f310da8267fe8312bfef088869fe7d495b32de33956cf5b46581f4a21ff0
                                                            • Instruction Fuzzy Hash: 1953F731C10B1A8ADB51EF68C884699F7B1FF99300F11D79AE4587B125FB70AAD4CB81
                                                            Function 011141B8 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 586 11141b8-111421e 588 1114220-111422b 586->588 589 1114268-111426a 586->589 588->589 590 111422d-1114239 588->590 591 111426c-1114285 589->591 592 111423b-1114245 590->592 593 111425c-1114266 590->593 597 11142d1-11142d3 591->597 598 1114287-1114293 591->598 594 1114247 592->594 595 1114249-1114258 592->595 593->591 594->595 595->595 599 111425a 595->599 601 11142d5-111432d 597->601 598->597 600 1114295-11142a1 598->600 599->593 602 11142a3-11142ad 600->602 603 11142c4-11142cf 600->603 610 1114377-1114379 601->610 611 111432f-111433a 601->611 604 11142b1-11142c0 602->604 605 11142af 602->605 603->601 604->604 607 11142c2 604->607 605->604 607->603 613 111437b-1114393 610->613 611->610 612 111433c-1114348 611->612 614 111436b-1114375 612->614 615 111434a-1114354 612->615 620 1114395-11143a0 613->620 621 11143dd-11143df 613->621 614->613 616 1114356 615->616 617 1114358-1114367 615->617 616->617 617->617 619 1114369 617->619 619->614 620->621 623 11143a2-11143ae 620->623 622 11143e1-1114446 621->622 632 1114448-111444e 622->632 633 111444f-11144af 622->633 624 11143d1-11143db 623->624 625 11143b0-11143ba 623->625 624->622 627 11143bc 625->627 628 11143be-11143cd 625->628 627->628 628->628 629 11143cf 628->629 629->624 632->633 640 11144b1-11144b5 633->640 641 11144bf-11144c3 633->641 640->641 642 11144b7 640->642 643 11144d3-11144d7 641->643 644 11144c5-11144c9 641->644 642->641 646 11144e7-11144eb 643->646 647 11144d9-11144dd 643->647 644->643 645 11144cb 644->645 645->643 648 11144fb-11144ff 646->648 649 11144ed-11144f1 646->649 647->646 650 11144df-11144e2 call 1110ab8 647->650 653 1114501-1114505 648->653 654 111450f-1114513 648->654 649->648 652 11144f3-11144f6 call 1110ab8 649->652 650->646 652->648 653->654 656 1114507-111450a call 1110ab8 653->656 657 1114523-1114527 654->657 658 1114515-1114519 654->658 656->654 661 1114537 657->661 662 1114529-111452d 657->662 658->657 660 111451b 658->660 660->657 664 1114538 661->664 662->661 663 111452f 662->663 663->661 664->664
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3862218451.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_1110000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: \Vin
                                                            • API String ID: 0-3600523701
                                                            • Opcode ID: 4388dbb1ac9576c3a6ae07b4f6329eb6352a80cf67a8eca5f04db526a04d298e
                                                            • Instruction ID: 3433a9f0e58e442dceefe644e27d58ef094eee1e62b35ddb0d94db5a5fced406
                                                            • Opcode Fuzzy Hash: 4388dbb1ac9576c3a6ae07b4f6329eb6352a80cf67a8eca5f04db526a04d298e
                                                            • Instruction Fuzzy Hash: C6B15070E04219CFDB18CFA9D8857DDFBF2AF88B14F148139D415A7A58EB749841CB81
                                                            Function 01113E70 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 745 1113e70-1113ed6 747 1113f20-1113f22 745->747 748 1113ed8-1113ee3 745->748 750 1113f24-1113f7c 747->750 748->747 749 1113ee5-1113ef1 748->749 751 1113ef3-1113efd 749->751 752 1113f14-1113f1e 749->752 759 1113fc6-1113fc8 750->759 760 1113f7e-1113f89 750->760 754 1113f01-1113f10 751->754 755 1113eff 751->755 752->750 754->754 756 1113f12 754->756 755->754 756->752 762 1113fca-1113fe2 759->762 760->759 761 1113f8b-1113f97 760->761 763 1113f99-1113fa3 761->763 764 1113fba-1113fc4 761->764 768 1113fe4-1113fef 762->768 769 111402c-111402e 762->769 765 1113fa5 763->765 766 1113fa7-1113fb6 763->766 764->762 765->766 766->766 770 1113fb8 766->770 768->769 771 1113ff1-1113ffd 768->771 772 1114030-111407e 769->772 770->764 773 1114020-111402a 771->773 774 1113fff-1114009 771->774 780 1114084-1114092 772->780 773->772 775 111400b 774->775 776 111400d-111401c 774->776 775->776 776->776 778 111401e 776->778 778->773 781 1114094-111409a 780->781 782 111409b-11140fb 780->782 781->782 789 111410b-111410f 782->789 790 11140fd-1114101 782->790 792 1114111-1114115 789->792 793 111411f-1114123 789->793 790->789 791 1114103 790->791 791->789 792->793 796 1114117-111411a call 1110ab8 792->796 794 1114133-1114137 793->794 795 1114125-1114129 793->795 798 1114147-111414b 794->798 799 1114139-111413d 794->799 795->794 797 111412b-111412e call 1110ab8 795->797 796->793 797->794 803 111415b-111415f 798->803 804 111414d-1114151 798->804 799->798 802 111413f-1114142 call 1110ab8 799->802 802->798 807 1114161-1114165 803->807 808 111416f 803->808 804->803 806 1114153 804->806 806->803 807->808 809 1114167 807->809 810 1114170 808->810 809->808 810->810
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3862218451.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_1110000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: \Vin
                                                            • API String ID: 0-3600523701
                                                            • Opcode ID: c7272e050001dbe4ab6fd909c9271aa8214b1d8a0d0eb7a9a80f47ffe737d558
                                                            • Instruction ID: 4fbc5e2069250d7adce31029b6856595e265dc122e974c3dbc79004f95f91b05
                                                            • Opcode Fuzzy Hash: c7272e050001dbe4ab6fd909c9271aa8214b1d8a0d0eb7a9a80f47ffe737d558
                                                            • Instruction Fuzzy Hash: 26914A70E0020ACFDB18CFA9D89179DFBF2BF88714F148139E415A7698EB749845CB82
                                                            Function 01114A88 Relevance: .3, Instructions: 266COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3862218451.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_1110000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 06c95149aa93edb402b17e57e98a34a00d493317fbafd2b6c48acb65e48d669a
                                                            • Instruction ID: d6a6015ee987df794a992183c3ba612679ee44e0f52f3c5984d83d91f1f70d2c
                                                            • Opcode Fuzzy Hash: 06c95149aa93edb402b17e57e98a34a00d493317fbafd2b6c48acb65e48d669a
                                                            • Instruction Fuzzy Hash: 24B15B70E002098FDF18CFA9C8917ADFBF2BF88B14F148539D815A7698EB749845CB85
                                                            Function 01114800 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 459 1114800-111488c 462 11148d6-11148d8 459->462 463 111488e-1114899 459->463 464 11148da-11148f2 462->464 463->462 465 111489b-11148a7 463->465 471 11148f4-11148ff 464->471 472 111493c-111493e 464->472 466 11148a9-11148b3 465->466 467 11148ca-11148d4 465->467 469 11148b5 466->469 470 11148b7-11148c6 466->470 467->464 469->470 470->470 473 11148c8 470->473 471->472 474 1114901-111490d 471->474 475 1114940-1114985 472->475 473->467 476 1114930-111493a 474->476 477 111490f-1114919 474->477 483 111498b-1114999 475->483 476->475 478 111491b 477->478 479 111491d-111492c 477->479 478->479 479->479 481 111492e 479->481 481->476 484 11149a2-11149ff 483->484 485 111499b-11149a1 483->485 492 1114a01-1114a05 484->492 493 1114a0f-1114a13 484->493 485->484 492->493 496 1114a07-1114a0a call 1110ab8 492->496 494 1114a23-1114a27 493->494 495 1114a15-1114a19 493->495 498 1114a37-1114a3b 494->498 499 1114a29-1114a2d 494->499 495->494 497 1114a1b-1114a1e call 1110ab8 495->497 496->493 497->494 503 1114a4b 498->503 504 1114a3d-1114a41 498->504 499->498 502 1114a2f 499->502 502->498 506 1114a4c 503->506 504->503 505 1114a43 504->505 505->503 506->506
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3862218451.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_1110000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: \Vin$\Vin
                                                            • API String ID: 0-241749244
                                                            • Opcode ID: ecc1b7cde8a370d23bc3a8eb601a4206c6159a462834f3bc3fd06d500712bc5f
                                                            • Instruction ID: 0a9ca3d05804760a0a3e1c79625d44e6632d5380761539938395b5ec604e59f3
                                                            • Opcode Fuzzy Hash: ecc1b7cde8a370d23bc3a8eb601a4206c6159a462834f3bc3fd06d500712bc5f
                                                            • Instruction Fuzzy Hash: CA715A71E0024DCFDB18DFA9D88079EFBF2AF88B14F148129E415A7658EB749842CF95
                                                            Function 011147F4 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 507 11147f4-111488c 510 11148d6-11148d8 507->510 511 111488e-1114899 507->511 512 11148da-11148f2 510->512 511->510 513 111489b-11148a7 511->513 519 11148f4-11148ff 512->519 520 111493c-111493e 512->520 514 11148a9-11148b3 513->514 515 11148ca-11148d4 513->515 517 11148b5 514->517 518 11148b7-11148c6 514->518 515->512 517->518 518->518 521 11148c8 518->521 519->520 522 1114901-111490d 519->522 523 1114940-1114952 520->523 521->515 524 1114930-111493a 522->524 525 111490f-1114919 522->525 530 1114959-1114985 523->530 524->523 526 111491b 525->526 527 111491d-111492c 525->527 526->527 527->527 529 111492e 527->529 529->524 531 111498b-1114999 530->531 532 11149a2-11149ff 531->532 533 111499b-11149a1 531->533 540 1114a01-1114a05 532->540 541 1114a0f-1114a13 532->541 533->532 540->541 544 1114a07-1114a0a call 1110ab8 540->544 542 1114a23-1114a27 541->542 543 1114a15-1114a19 541->543 546 1114a37-1114a3b 542->546 547 1114a29-1114a2d 542->547 543->542 545 1114a1b-1114a1e call 1110ab8 543->545 544->541 545->542 551 1114a4b 546->551 552 1114a3d-1114a41 546->552 547->546 550 1114a2f 547->550 550->546 554 1114a4c 551->554 552->551 553 1114a43 552->553 553->551 554->554
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3862218451.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_1110000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: \Vin$\Vin
                                                            • API String ID: 0-241749244
                                                            • Opcode ID: be9b47027c1eaaf3f9b71beec0da693c2d51f24176cf2eb2105e44b6d6298788
                                                            • Instruction ID: e2dba17127e9b0f1744de79f7e20597863bf101bd9907c55fcc68a5822541e36
                                                            • Opcode Fuzzy Hash: be9b47027c1eaaf3f9b71beec0da693c2d51f24176cf2eb2105e44b6d6298788
                                                            • Instruction Fuzzy Hash: D2715971E0024DCFDB18DFA9D88079EFBF2AF88B14F148129E415A7658EB749842CF95
                                                            Function 0649EA00 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 555 649ea00-649ea1b 556 649ea1d-649ea44 call 649cef0 555->556 557 649ea45-649ea64 call 649cefc 555->557 563 649ea6a-649eac9 557->563 564 649ea66-649ea69 557->564 571 649eacb-649eace 563->571 572 649eacf-649eb5c GlobalMemoryStatusEx 563->572 576 649eb5e-649eb64 572->576 577 649eb65-649eb8d 572->577 576->577
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3876275221.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6490000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bd1259e662782cb879b02a1c2d1ec30b7adc473bcb78a25ddcd2016ed11c38e5
                                                            • Instruction ID: ca1634cb3d63f856f6c26aec436ef1ad0c5e9a1438183c8d9ea025bad8653869
                                                            • Opcode Fuzzy Hash: bd1259e662782cb879b02a1c2d1ec30b7adc473bcb78a25ddcd2016ed11c38e5
                                                            • Instruction Fuzzy Hash: A5412372D003499FCB14DBAAD8047EEBBF5EF89210F04856BD908A7341DB789845CBE0
                                                            Function 0649EAE8 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 580 649eae8-649eb26 581 649eb2e-649eb5c GlobalMemoryStatusEx 580->581 582 649eb5e-649eb64 581->582 583 649eb65-649eb8d 581->583 582->583
                                                            APIs
                                                            • GlobalMemoryStatusEx.KERNEL32 ref: 0649EB4F
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3876275221.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6490000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID: GlobalMemoryStatus
                                                            • String ID:
                                                            • API String ID: 1890195054-0
                                                            • Opcode ID: 871b2d19c78a1fe484dff98b1ef943c18b9e676468fcc0e3302dec9836f979d2
                                                            • Instruction ID: e29b8614c37883aa330d1b183872a1e108e6997294afba9d07e02a5302598885
                                                            • Opcode Fuzzy Hash: 871b2d19c78a1fe484dff98b1ef943c18b9e676468fcc0e3302dec9836f979d2
                                                            • Instruction Fuzzy Hash: E61120B1C0065A9FCB10DFAAC844BDEFBF4BF48720F11812AD818A7240D778A954CFA5
                                                            Function 011141AC Relevance: 1.5, Strings: 1, Instructions: 276COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 665 11141ac-111421e 668 1114220-111422b 665->668 669 1114268-111426a 665->669 668->669 670 111422d-1114239 668->670 671 111426c-1114285 669->671 672 111423b-1114245 670->672 673 111425c-1114266 670->673 677 11142d1-11142d3 671->677 678 1114287-1114293 671->678 674 1114247 672->674 675 1114249-1114258 672->675 673->671 674->675 675->675 679 111425a 675->679 681 11142d5-111432d 677->681 678->677 680 1114295-11142a1 678->680 679->673 682 11142a3-11142ad 680->682 683 11142c4-11142cf 680->683 690 1114377-1114379 681->690 691 111432f-111433a 681->691 684 11142b1-11142c0 682->684 685 11142af 682->685 683->681 684->684 687 11142c2 684->687 685->684 687->683 693 111437b-1114393 690->693 691->690 692 111433c-1114348 691->692 694 111436b-1114375 692->694 695 111434a-1114354 692->695 700 1114395-11143a0 693->700 701 11143dd-11143df 693->701 694->693 696 1114356 695->696 697 1114358-1114367 695->697 696->697 697->697 699 1114369 697->699 699->694 700->701 703 11143a2-11143ae 700->703 702 11143e1-11143f3 701->702 710 11143fa-1114432 702->710 704 11143d1-11143db 703->704 705 11143b0-11143ba 703->705 704->702 707 11143bc 705->707 708 11143be-11143cd 705->708 707->708 708->708 709 11143cf 708->709 709->704 711 1114438-1114446 710->711 712 1114448-111444e 711->712 713 111444f-11144af 711->713 712->713 720 11144b1-11144b5 713->720 721 11144bf-11144c3 713->721 720->721 722 11144b7 720->722 723 11144d3-11144d7 721->723 724 11144c5-11144c9 721->724 722->721 726 11144e7-11144eb 723->726 727 11144d9-11144dd 723->727 724->723 725 11144cb 724->725 725->723 728 11144fb-11144ff 726->728 729 11144ed-11144f1 726->729 727->726 730 11144df-11144e2 call 1110ab8 727->730 733 1114501-1114505 728->733 734 111450f-1114513 728->734 729->728 732 11144f3-11144f6 call 1110ab8 729->732 730->726 732->728 733->734 736 1114507-111450a call 1110ab8 733->736 737 1114523-1114527 734->737 738 1114515-1114519 734->738 736->734 741 1114537 737->741 742 1114529-111452d 737->742 738->737 740 111451b 738->740 740->737 744 1114538 741->744 742->741 743 111452f 742->743 743->741 744->744
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3862218451.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_1110000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: \Vin
                                                            • API String ID: 0-3600523701
                                                            • Opcode ID: 8721afeb36cda79fe1560f482ae6cbda39b214e705b7856d516a4358b13ba396
                                                            • Instruction ID: 69821db266f43bb11633b635b5c7cebf625676a7b2a6ab7c734ec32d42874e6c
                                                            • Opcode Fuzzy Hash: 8721afeb36cda79fe1560f482ae6cbda39b214e705b7856d516a4358b13ba396
                                                            • Instruction Fuzzy Hash: 3BB15C70E04219CFDB18CFA9D8857DDFBF1AF88B14F148139D815A7A98EB749881CB91
                                                            Function 01113E66 Relevance: 1.5, Strings: 1, Instructions: 234COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 811 1113e66-1113ed6 813 1113f20-1113f22 811->813 814 1113ed8-1113ee3 811->814 816 1113f24-1113f7c 813->816 814->813 815 1113ee5-1113ef1 814->815 817 1113ef3-1113efd 815->817 818 1113f14-1113f1e 815->818 825 1113fc6-1113fc8 816->825 826 1113f7e-1113f89 816->826 820 1113f01-1113f10 817->820 821 1113eff 817->821 818->816 820->820 822 1113f12 820->822 821->820 822->818 828 1113fca-1113fe2 825->828 826->825 827 1113f8b-1113f97 826->827 829 1113f99-1113fa3 827->829 830 1113fba-1113fc4 827->830 834 1113fe4-1113fef 828->834 835 111402c-111402e 828->835 831 1113fa5 829->831 832 1113fa7-1113fb6 829->832 830->828 831->832 832->832 836 1113fb8 832->836 834->835 837 1113ff1-1113ffd 834->837 838 1114030-1114042 835->838 836->830 839 1114020-111402a 837->839 840 1113fff-1114009 837->840 845 1114049-111407e 838->845 839->838 841 111400b 840->841 842 111400d-111401c 840->842 841->842 842->842 844 111401e 842->844 844->839 846 1114084-1114092 845->846 847 1114094-111409a 846->847 848 111409b-11140fb 846->848 847->848 855 111410b-111410f 848->855 856 11140fd-1114101 848->856 858 1114111-1114115 855->858 859 111411f-1114123 855->859 856->855 857 1114103 856->857 857->855 858->859 862 1114117-111411a call 1110ab8 858->862 860 1114133-1114137 859->860 861 1114125-1114129 859->861 864 1114147-111414b 860->864 865 1114139-111413d 860->865 861->860 863 111412b-111412e call 1110ab8 861->863 862->859 863->860 869 111415b-111415f 864->869 870 111414d-1114151 864->870 865->864 868 111413f-1114142 call 1110ab8 865->868 868->864 873 1114161-1114165 869->873 874 111416f 869->874 870->869 872 1114153 870->872 872->869 873->874 875 1114167 873->875 876 1114170 874->876 875->874 876->876
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3862218451.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_1110000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: \Vin
                                                            • API String ID: 0-3600523701
                                                            • Opcode ID: 6bd3f4407c76d0482d138315e7b6e3578ec9f166fce8fbee1781fefc25a76903
                                                            • Instruction ID: 04b74ad8de25d3aee210858a9a3ad223a04949cd04cd119a8d484a783dad25d5
                                                            • Opcode Fuzzy Hash: 6bd3f4407c76d0482d138315e7b6e3578ec9f166fce8fbee1781fefc25a76903
                                                            • Instruction Fuzzy Hash: DD914970E0020ACFDB18CFA9D9857DDFBF2BF88714F148129E415A7698EB749845CB92
                                                            Function 01110848 Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 893 1110848-111084c 894 111084e-1110851 893->894 895 1110853 894->895 896 111085e-1110861 894->896 923 1110853 call 111147a 895->923 924 1110853 call 111136f 895->924 897 1110863 896->897 898 111086e-1110871 896->898 902 1110869 897->902 900 1110873 898->900 901 1110882-1110885 898->901 899 1110859 899->896 905 111087d 900->905 903 1110909-111090b 901->903 904 111088b-111089b 901->904 902->898 906 1110912-1110915 903->906 907 111090d 903->907 910 11108cd-11108d5 904->910 911 111089d-11108cb 904->911 905->901 906->894 908 111091b-111091d 906->908 907->906 912 11108d7-11108d9 910->912 913 11108db-11108dd 910->913 911->910 915 11108e3-11108e5 912->915 913->915 916 11108e7-11108ed 915->916 917 11108fd-1110904 915->917 919 11108f1-11108f3 916->919 920 11108ef 916->920 917->903 919->917 920->917 923->899 924->899
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3862218451.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_1110000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Co
                                                            • API String ID: 0-3798529171
                                                            • Opcode ID: 44963ed5ef46e08a436511d4ea2ce2cca424d9cd226df075db89304469aab29b
                                                            • Instruction ID: 99dfd17322e8dffccebe48c954139616af1424c2339731ca682d15eeb3891dfd
                                                            • Opcode Fuzzy Hash: 44963ed5ef46e08a436511d4ea2ce2cca424d9cd226df075db89304469aab29b
                                                            • Instruction Fuzzy Hash: D4113330F042084BEF19AB7DC554769B695FB49614F114939F906CB25ADB25CCC18BD1
                                                            Function 01110838 Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 925 1110838-111084c 927 111084e-1110851 925->927 928 1110853 927->928 929 111085e-1110861 927->929 956 1110853 call 111147a 928->956 957 1110853 call 111136f 928->957 930 1110863 929->930 931 111086e-1110871 929->931 935 1110869 930->935 933 1110873 931->933 934 1110882-1110885 931->934 932 1110859 932->929 938 111087d 933->938 936 1110909-111090b 934->936 937 111088b-111089b 934->937 935->931 939 1110912-1110915 936->939 940 111090d 936->940 943 11108cd-11108d5 937->943 944 111089d-11108cb 937->944 938->934 939->927 941 111091b-111091d 939->941 940->939 945 11108d7-11108d9 943->945 946 11108db-11108dd 943->946 944->943 948 11108e3-11108e5 945->948 946->948 949 11108e7-11108ed 948->949 950 11108fd-1110904 948->950 952 11108f1-11108f3 949->952 953 11108ef 949->953 950->936 952->950 953->950 956->932 957->932
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3862218451.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_1110000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Co
                                                            • API String ID: 0-3798529171
                                                            • Opcode ID: eeb81ca9428a985cd9b496860d46dea2660ebf53144dcfedc2bc31fa6dde36ac
                                                            • Instruction ID: 605c322d5c468322c0b5f70580adfd3af659c040d973ca53725feabc82be4413
                                                            • Opcode Fuzzy Hash: eeb81ca9428a985cd9b496860d46dea2660ebf53144dcfedc2bc31fa6dde36ac
                                                            • Instruction Fuzzy Hash: 0D11A730F0430857EF1A6B79D504379B655E749214F14893AF906CB28AEB25C9C18BD2
                                                            Function 011186DF Relevance: .6, Instructions: 569COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3862218451.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_1110000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b77f3d4bd21a0de07fae4c21db5dee8fe888fd8027b00ae3814c0cfb50ea6017
                                                            • Instruction ID: eff788f1e1b8186c2f75325d2ef161f8787e6bccd027e1cfab1e548ecb402f95
                                                            • Opcode Fuzzy Hash: b77f3d4bd21a0de07fae4c21db5dee8fe888fd8027b00ae3814c0cfb50ea6017
                                                            • Instruction Fuzzy Hash: B2228E30B112069FDB19BB2CE54522C77A2FBC9615B20893AE406CF759CF79DC46CBA1
                                                            Function 01118728 Relevance: .6, Instructions: 561COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3862218451.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_1110000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 36ebf7867ab42f8fdae5f43a352977b2b3fea952ca6e9f229d5172e306fe2d62
                                                            • Instruction ID: 9e42cd77b38c7a5c531797428a578f5f6570a30965e0c564122e8c78b2b11937
                                                            • Opcode Fuzzy Hash: 36ebf7867ab42f8fdae5f43a352977b2b3fea952ca6e9f229d5172e306fe2d62
                                                            • Instruction Fuzzy Hash: 31128E30B112069FDB1ABB2CE54522C77A2FBC5615B20893AE406CF799CF79DC46C7A1
                                                            Function 00DC1F11 Relevance: .4, Instructions: 397COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3861012169.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_dc0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b429a545ed2054c030fcd21f5d7157198c0a13aed5f36c7cf81f1c7aa71e817c
                                                            • Instruction ID: 3938beb792a8a961d23b3134db9e5265360b712b6b5e85a1968a2c6d0598a85c
                                                            • Opcode Fuzzy Hash: b429a545ed2054c030fcd21f5d7157198c0a13aed5f36c7cf81f1c7aa71e817c
                                                            • Instruction Fuzzy Hash: 03416331900709DFCB14DFA9C854AADFBB1EF89310F15C56DE845BB265DB709981CBA0
                                                            Function 0111A20F Relevance: .4, Instructions: 393COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3862218451.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_1110000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2238b596f4f1f1fe855bc458bc73217b7aca9c594b8468a778930be840f49bf8
                                                            • Instruction ID: f6b55cc2c94c1711bca8ffd437566e0466bf6ac67c206a4027edc3f23fe0b9e5
                                                            • Opcode Fuzzy Hash: 2238b596f4f1f1fe855bc458bc73217b7aca9c594b8468a778930be840f49bf8
                                                            • Instruction Fuzzy Hash: 00E19F30B012058FDB19DB68E584AAEBBB2EF88310F248579E906D7759DB31DD42CB90
                                                            Function 00DC2150 Relevance: .3, Instructions: 340COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3861012169.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_dc0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1a93a71de5a890f1b11d5b666d7442c0385ecf5f9aed71c7656958f99a7ed6ff
                                                            • Instruction ID: a9af3b1cc78e3997912e3163c746406c7880939af7fc984220ec205e19222207
                                                            • Opcode Fuzzy Hash: 1a93a71de5a890f1b11d5b666d7442c0385ecf5f9aed71c7656958f99a7ed6ff
                                                            • Instruction Fuzzy Hash: E1D15D70E0420A8FDB18DFA9C854BAEBBF2AF88310F15856DD445AB391DB349D45CBA1
                                                            Function 01114A7E Relevance: .3, Instructions: 261COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3862218451.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_1110000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cf287c49f550d19e743f916a2ea1232711055f2cbe26ebfac48eda510b75536d
                                                            • Instruction ID: 2319afe9978dedaaea4540b66f388c17ece374447a154f99bafa741999cd6515
                                                            • Opcode Fuzzy Hash: cf287c49f550d19e743f916a2ea1232711055f2cbe26ebfac48eda510b75536d
                                                            • Instruction Fuzzy Hash: 53A13A70E002098FDF18CFA9D88179DFBF2BF88B14F248539D814A7698EB759845CB85
                                                            Function 01116ED2 Relevance: .2, Instructions: 175COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3862218451.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_1110000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: aa63921a3aec967e5d14fa6f20e890a133691304f1244073371f493735ed1ee0
                                                            • Instruction ID: 53d872d07579151f62e0508d4baf8d1049aec159293c29cd337181a27478cdc4
                                                            • Opcode Fuzzy Hash: aa63921a3aec967e5d14fa6f20e890a133691304f1244073371f493735ed1ee0
                                                            • Instruction Fuzzy Hash: 4F5181347002158FDB18EB68C558BADB7F6EF89700F604469E406EB3A5DB769C40CBA1
                                                            Function 0111DD82 Relevance: .2, Instructions: 171COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3862218451.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_1110000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b8f43a76f975a615da0ff2d90d34f473ce7d27319ddde226e3b2ddef5b1a7f63
                                                            • Instruction ID: 0151b8ab4e4c706653bf711e14ca9f6f552226a8e568ca1d44f53ca6e9bb5d66
                                                            • Opcode Fuzzy Hash: b8f43a76f975a615da0ff2d90d34f473ce7d27319ddde226e3b2ddef5b1a7f63
                                                            • Instruction Fuzzy Hash: 24519E71700216AFDB19CF68D884B2EF7A6FB84310F658669D405DB29ACB31ED42CB91
                                                            Function 0111A6C8 Relevance: .1, Instructions: 137COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3862218451.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_1110000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2419bdfa4e52521e5dd6c0080fb9e7b4cdc96e147c1e7f8ddf0a4ad85fbcf544
                                                            • Instruction ID: 88cdbbb1faed63a419ce41ad2770349ee7e38a5215779cc3c7f15e62109ef89c
                                                            • Opcode Fuzzy Hash: 2419bdfa4e52521e5dd6c0080fb9e7b4cdc96e147c1e7f8ddf0a4ad85fbcf544
                                                            • Instruction Fuzzy Hash: 85513871A01205CFDB04DF69E88479DFBB2FF88311F14C2AAE9099B35AE7719945CB90
                                                            Function 01116CD4 Relevance: .1, Instructions: 134COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3862218451.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_1110000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 40013d5505916fe857a75766dd0d6291321a1ae19cc50d0b0efc5b06e4934839
                                                            • Instruction ID: c814006267476a31bd1e96774a3730c1a658680f7870bfd24870432c97df6058
                                                            • Opcode Fuzzy Hash: 40013d5505916fe857a75766dd0d6291321a1ae19cc50d0b0efc5b06e4934839
                                                            • Instruction Fuzzy Hash: 13510274D102288FDB18CFA9C885B9DFBB1BF48310F15812AE819AB255D7B5A844CF95
                                                            Function 01116CE0 Relevance: .1, Instructions: 132COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3862218451.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_1110000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: aedf21fc81ca6381264fa51a4a801f6b8f01590468bbfe416523255765d4c9e3
                                                            • Instruction ID: a82bd50eb7e30ca79d45d31ee75331c048fa11993ea948f2d22fe90dc0ca1af5
                                                            • Opcode Fuzzy Hash: aedf21fc81ca6381264fa51a4a801f6b8f01590468bbfe416523255765d4c9e3
                                                            • Instruction Fuzzy Hash: 04510374D10228CFDB18CFA9C894B9DFBB1BF48310F15812AE815AB355D7B5A844CF95
                                                            Function 0111112A Relevance: .1, Instructions: 119COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3862218451.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_1110000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a2afe8f2bc15f22e862f7374eb7020fb99768ee92668772708c04370a650b735
                                                            • Instruction ID: d7048f51b452a20a6bc14c63ec9ff12838d492246f75cbc61910013dec360873
                                                            • Opcode Fuzzy Hash: a2afe8f2bc15f22e862f7374eb7020fb99768ee92668772708c04370a650b735
                                                            • Instruction Fuzzy Hash: 23512134A16345EFCB05FB28FB809663BA1B79930C704895BD0088FA7ED7706A05CF51
                                                            Function 01111138 Relevance: .1, Instructions: 109COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3862218451.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_1110000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 059e126b21383fe42aa0e85103eb2730b05a51bb22a6c2db13682f99fda2b1dd
                                                            • Instruction ID: 5579f83dc63316f812d11531d6c5d5283614a83dd5cd81ee014d1b24057cab9e
                                                            • Opcode Fuzzy Hash: 059e126b21383fe42aa0e85103eb2730b05a51bb22a6c2db13682f99fda2b1dd
                                                            • Instruction Fuzzy Hash: 2751F034616349EFCB05FB28FB809663BB5B799209314895BD0088FA7DDB706A45CF91
                                                            Function 00DC2998 Relevance: .1, Instructions: 100COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3861012169.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_dc0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e56d33333e039ba3427ffd1b0f14abd45d74e29714d70243169299a84cff6680
                                                            • Instruction ID: d6dee9f94b52ba289477beeb5a104ddaa181b76bc4e7fa80760a62cd74644bc2
                                                            • Opcode Fuzzy Hash: e56d33333e039ba3427ffd1b0f14abd45d74e29714d70243169299a84cff6680
                                                            • Instruction Fuzzy Hash: 35317E70A002068FDF50EBB8D990AAE7BB5FF89314F14452ED405DB355DB35AD06CBA1
                                                            Function 01117D90 Relevance: .1, Instructions: 99COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3862218451.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_1110000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2bebf91e1e6f67e2d756dc2db1872204d4244104b5f48ec3693a7b4063da270f
                                                            • Instruction ID: 1c1a0b14221b1069c1b71e4b33bfcafef754428708e8e3a4b9cbd57c9af9ba44
                                                            • Opcode Fuzzy Hash: 2bebf91e1e6f67e2d756dc2db1872204d4244104b5f48ec3693a7b4063da270f
                                                            • Instruction Fuzzy Hash: 45317E31E1121ADBDB19DF68D4447AEF7B2EF89310F608529E802EB395DB70AD41CB51
                                                            Function 00DC29A8 Relevance: .1, Instructions: 94COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3861012169.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_dc0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e8545ff2f50f6762a928db3ad5a1988ad0d8ad1e1c04d03b3199099fdcf48976
                                                            • Instruction ID: afc55b938487b0346a0fb87dbd162b331c8b7d1b80ef47614606884c7a2387a0
                                                            • Opcode Fuzzy Hash: e8545ff2f50f6762a928db3ad5a1988ad0d8ad1e1c04d03b3199099fdcf48976
                                                            • Instruction Fuzzy Hash: 86314F70A002168FDF50EBA9D980ABE7BB5FF89314F10452ED406EB355DB36AD05CBA1
                                                            Function 01117D80 Relevance: .1, Instructions: 93COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3862218451.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_1110000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bdc12178482d5c58579176ab78ba60cb9b54aa74ce412c2db75588b1c613baf1
                                                            • Instruction ID: f050bc6cfbddb5f32bd27ebc2541f7858f7a66478628a0be16f4811fc7abb3be
                                                            • Opcode Fuzzy Hash: bdc12178482d5c58579176ab78ba60cb9b54aa74ce412c2db75588b1c613baf1
                                                            • Instruction Fuzzy Hash: E7314D31E1121ADBDB19DF68C5447AEF7B2EF89300F608529E802FB395EBB199418B51
                                                            Function 011126CE Relevance: .1, Instructions: 92COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3862218451.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_1110000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 55375c75f04483db57c2f3a546982ea0283b396c9563bfd4d95a2b55cbb31532
                                                            • Instruction ID: 7e3b3658d0b6d08f3692096544e1c4b632a48505eb5a30ca660b1c5739e461b3
                                                            • Opcode Fuzzy Hash: 55375c75f04483db57c2f3a546982ea0283b396c9563bfd4d95a2b55cbb31532
                                                            • Instruction Fuzzy Hash: A841FEB49003499FDB14DFA9C984A9EBBF5BF48310F24842AE819AB254DB74A945CB90
                                                            Function 011126D8 Relevance: .1, Instructions: 90COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3862218451.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_1110000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e15f497b69a8dc7096a681b4b7375dc9ea414e7d46d0ce45e05b6e8252b053af
                                                            • Instruction ID: b5da96a563c8038eb64aebba050d3ebfe4e7af46cdc24d69a10fba0f20e352ac
                                                            • Opcode Fuzzy Hash: e15f497b69a8dc7096a681b4b7375dc9ea414e7d46d0ce45e05b6e8252b053af
                                                            • Instruction Fuzzy Hash: 5D41EFB4D0034D9FDB14DFA9C884A9EBBF5FF48310F208429E819AB254DB75A945CB90
                                                            Function 0111147A Relevance: .1, Instructions: 87COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3862218451.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_1110000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8d78ede85986fd821ed4f32b3081dc4e15e39de99ad94f923f56bc4a0e38d5db
                                                            • Instruction ID: 9b1978678708292b8d335f784cb5132fdd3d9db9ead490be212cedb430991d53
                                                            • Opcode Fuzzy Hash: 8d78ede85986fd821ed4f32b3081dc4e15e39de99ad94f923f56bc4a0e38d5db
                                                            • Instruction Fuzzy Hash: C7213831E00215AFCF2AABBCD4413ADFBB5EF09619F140476E906D770AE739C8818792
                                                            Function 0111A080 Relevance: .1, Instructions: 84COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3862218451.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_1110000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9d6438f8d85e9f3a27b4b099fd805f2e8458c9c33302db947a25c2b8dc51ea40
                                                            • Instruction ID: 39845acbf8760f4fcaacf6d48b00b3a5cc81303702a19a61f106842eedc4f797
                                                            • Opcode Fuzzy Hash: 9d6438f8d85e9f3a27b4b099fd805f2e8458c9c33302db947a25c2b8dc51ea40
                                                            • Instruction Fuzzy Hash: 2F318430E0124A9FDB09DF69E95069EFBB2FF85340F14C525E805EB345DB719941CB90
                                                            Function 0111A856 Relevance: .1, Instructions: 79COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3862218451.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_1110000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 02b2394f49da606e0510da7631f857cef4eff6c823f362ef4c195f49b9e81d39
                                                            • Instruction ID: 81791173fadb79dfee76b7c8ec06de7444ebf05a56abbd3f74d126a17804618c
                                                            • Opcode Fuzzy Hash: 02b2394f49da606e0510da7631f857cef4eff6c823f362ef4c195f49b9e81d39
                                                            • Instruction Fuzzy Hash: DE21C771A101458FEB189B79D854BADBBF6EF88724F118125E501EB3A4DB719D408790
                                                            Function 0111A090 Relevance: .1, Instructions: 78COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3862218451.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_1110000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d4a208bd866b923ae8e0b82f7e4821617357dc4e91006fa5cffb992907d911aa
                                                            • Instruction ID: 07543a7ae7ca38bc370cb68c52a4931d8d7139cfb52348fd09067853ac1b9132
                                                            • Opcode Fuzzy Hash: d4a208bd866b923ae8e0b82f7e4821617357dc4e91006fa5cffb992907d911aa
                                                            • Instruction Fuzzy Hash: 4A219630E0024A9FDB09DF69D95069EFBB2FF85340F14C52AE805EB345DB719941CB90
                                                            Function 01111690 Relevance: .1, Instructions: 74COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3862218451.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_1110000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fe87b0bdf4252a6cb8ed6dcc35acfbe4cd41851ded6d711f196c0bc479dd3af4
                                                            • Instruction ID: 196d909ed12a53ebf6d5f0b89fc18ec53215bc2276c41cff0c726161c3802402
                                                            • Opcode Fuzzy Hash: fe87b0bdf4252a6cb8ed6dcc35acfbe4cd41851ded6d711f196c0bc479dd3af4
                                                            • Instruction Fuzzy Hash: 8A21DA38610200AFEF16E73CEA4471EB765FB88215F104936E509C765EEB75DC41CB91
                                                            Function 01119F81 Relevance: .1, Instructions: 73COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3862218451.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_1110000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 63147fc6b80627a390e144e8870d9bb22ba73902fbc8a0047a34a6d5a2b088fd
                                                            • Instruction ID: 086765b82d3c7933458ef2ca9fcb88de02caa8029252dbb2a8c919173bcbd358
                                                            • Opcode Fuzzy Hash: 63147fc6b80627a390e144e8870d9bb22ba73902fbc8a0047a34a6d5a2b088fd
                                                            • Instruction Fuzzy Hash: ED219031E0025A9FCB09CFA4D5506DEFBB2AF85310F20862AE815FB384DB719946CB51
                                                            Function 0111136F Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3862218451.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_1110000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d059eae6edfa456fd50c61e7dc70b9909048af12ead381d3bb0719f2416ff701
                                                            • Instruction ID: b3a542aa5d1f233be367553cec32b7efe8b2bdfb8708deafdda44e50f01e7612
                                                            • Opcode Fuzzy Hash: d059eae6edfa456fd50c61e7dc70b9909048af12ead381d3bb0719f2416ff701
                                                            • Instruction Fuzzy Hash: F921E4306112006BEB3A673CE55932DFA11EB06339F40483AFA06C7B8DDB29D842C762
                                                            Function 00DFD20C Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3861223437.0000000000DFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_dfd000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bfc8ff5af04682a806e6f3b2c55f11eb173ba834d026e97f98b7240ae4796752
                                                            • Instruction ID: 75dbefc9ffdb833ebd1148c03dbc7f884c91dc8bff64e93f325d9fdd3ab80d62
                                                            • Opcode Fuzzy Hash: bfc8ff5af04682a806e6f3b2c55f11eb173ba834d026e97f98b7240ae4796752
                                                            • Instruction Fuzzy Hash: 822104726043489FDB01DF10D884B2ABB67FB84324F25C669DA490B246C376D846CAB2
                                                            Function 00DFD3BC Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3861223437.0000000000DFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_dfd000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ada0d92603a14e8fb87bebd821397219a3fb85f3a60dd4c81085fcede65fc34b
                                                            • Instruction ID: 7c7a952d83750aa91fed166475393a006a9697788b8b15ab31e32880591d3c66
                                                            • Opcode Fuzzy Hash: ada0d92603a14e8fb87bebd821397219a3fb85f3a60dd4c81085fcede65fc34b
                                                            • Instruction Fuzzy Hash: 6821F275604308DFDB04DF14D9C4B26BBA7FB84314F24C56DDA494B286C376E846CA72
                                                            Function 00DFD044 Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3861223437.0000000000DFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_dfd000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 453a9a6d68ec5223f8ef0fbf53a54a3ba9b397fefdb3b5f377fc0da07f34c12a
                                                            • Instruction ID: f8d66c9154076cf5154f1c6ba54ab19f642c43140f7848828acf267158d191de
                                                            • Opcode Fuzzy Hash: 453a9a6d68ec5223f8ef0fbf53a54a3ba9b397fefdb3b5f377fc0da07f34c12a
                                                            • Instruction Fuzzy Hash: A621F275604348AFDB14DF20D9C4B26BB67FB84314F24C56DEA494B382CB7AD846CA72
                                                            Function 00DC1E5C Relevance: .1, Instructions: 71COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3861012169.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_dc0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ed11bc059589038bf80fdeb880482561323271912df7b40e1a2e763402c279f6
                                                            • Instruction ID: 50b25bf7c6c079c9b485f9db53ef6720d8ecf9c6a975ae62311f95fac7037d09
                                                            • Opcode Fuzzy Hash: ed11bc059589038bf80fdeb880482561323271912df7b40e1a2e763402c279f6
                                                            • Instruction Fuzzy Hash: AA3102B0D11209DFDB24DF9AC588BAEBBF5AF48710F24801AE404AB380C7B59845CFA0
                                                            Function 0111186A Relevance: .1, Instructions: 71COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3862218451.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_1110000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b77ac59af858f60bf1d385d46da40650288fd5237f7441e5d05a4c034b9c452c
                                                            • Instruction ID: d3579b5c6f842316ce24b1ce3cbc3a29bc1afb50b56347ced318db8e729e7c0a
                                                            • Opcode Fuzzy Hash: b77ac59af858f60bf1d385d46da40650288fd5237f7441e5d05a4c034b9c452c
                                                            • Instruction Fuzzy Hash: 36214C30B00249DFDB28EF78C6547AEF7B6AB49205F100879C605EB364EB358D41CB51
                                                            Function 01114F78 Relevance: .1, Instructions: 71COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3862218451.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_1110000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c322fa6b3fd34b8929482029bb6f31db33e904f2d0f64c9a39f75eb537773df3
                                                            • Instruction ID: e7a1109b7325e88496b0c95098ba5fa6729ae1f25fdaea306f488ff5b7a7a2a8
                                                            • Opcode Fuzzy Hash: c322fa6b3fd34b8929482029bb6f31db33e904f2d0f64c9a39f75eb537773df3
                                                            • Instruction Fuzzy Hash: B6212B34B00205CFDB58DB78DA58B9EB7F2AF89704F204869E506EB365DB329D04CB61
                                                            Function 00DC24C4 Relevance: .1, Instructions: 70COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3861012169.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_dc0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bf39a975b492e9535558545d36c70050113a6de3eb94eb48d01765d15448f99a
                                                            • Instruction ID: 24e4110dd5d45765abad8a7bdf3b12050712753796e616cd53bc55fc750efd37
                                                            • Opcode Fuzzy Hash: bf39a975b492e9535558545d36c70050113a6de3eb94eb48d01765d15448f99a
                                                            • Instruction Fuzzy Hash: 5631F1B0D11219DFDB24DF99C598BAEBFF5AF48710F24801AE404AB380C7B59845CF60
                                                            Function 01111878 Relevance: .1, Instructions: 70COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3862218451.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_1110000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d8d447d08460b71bd00940d0afe11784d2ff2de53637a561fede6c6d3013f4ec
                                                            • Instruction ID: 68456d358fae284e535570b1f83790bf9eb9b9cf476fccc01d86ef0a07a2dfe6
                                                            • Opcode Fuzzy Hash: d8d447d08460b71bd00940d0afe11784d2ff2de53637a561fede6c6d3013f4ec
                                                            • Instruction Fuzzy Hash: 36212C30B042099FDB18EB78C6547AEF7F6AB89205F100478C616EB354EB328D01CB91
                                                            Function 01119F90 Relevance: .1, Instructions: 70COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3862218451.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_1110000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ad405b98ea7512e5e248ee5ae92a06b9bcaa0956c509650e36b6738004a8dc2b
                                                            • Instruction ID: 20476ca03979022100407ca7834a1bc1dbd8e37e3ff68583f15012baf3da86ac
                                                            • Opcode Fuzzy Hash: ad405b98ea7512e5e248ee5ae92a06b9bcaa0956c509650e36b6738004a8dc2b
                                                            • Instruction Fuzzy Hash: 69214130E0065A9FCB19CFA5D4506DEFBB2BF85310F10852AE815FB384DB719945CB51
                                                            Function 011116A0 Relevance: .1, Instructions: 69COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3862218451.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_1110000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e94936e945ab6a1465423bf559e0121dfcf9b7bae3717afbf91e573a46f56e77
                                                            • Instruction ID: 1ad5679b3027babbce2aa526d90b5e1d96c11ff7d9ba120f0c7629dbb607243d
                                                            • Opcode Fuzzy Hash: e94936e945ab6a1465423bf559e0121dfcf9b7bae3717afbf91e573a46f56e77
                                                            • Instruction Fuzzy Hash: 312196386102019FEF16E73CEA84B1EB765FB88215F104936E50AC765EEB75DC41CB91
                                                            Function 01114F88 Relevance: .1, Instructions: 68COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3862218451.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_1110000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: afe2540113ff1bbb5c2e0a1a25e0e01521cc8554d2856dff0d2fe4fb8adf83f9
                                                            • Instruction ID: d27c2dd0a0ef4c3c7b17f8bb40afe370062e34c4754b0f6fa9dd5cca2e01e047
                                                            • Opcode Fuzzy Hash: afe2540113ff1bbb5c2e0a1a25e0e01521cc8554d2856dff0d2fe4fb8adf83f9
                                                            • Instruction Fuzzy Hash: 4C211B34B00205CFDB58DB79C558B9DB7F2AB89704F104469E506EB365DB329D44CB61
                                                            Function 00DC0368 Relevance: .1, Instructions: 64COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3861012169.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_dc0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e52eb0a0a3f751d0a65e299d6da2d095d784f0fee5bf123edb9ad98da4ae22dd
                                                            • Instruction ID: 9384b71268419f55c09670c8a3c6760d2e2ef61a6989594fb7b47a25527df583
                                                            • Opcode Fuzzy Hash: e52eb0a0a3f751d0a65e299d6da2d095d784f0fee5bf123edb9ad98da4ae22dd
                                                            • Instruction Fuzzy Hash: 5A11CA313003428FDB19EF39C4546AABBA2FF86344720866DD04ADB795DB329C06CBA0
                                                            Function 011117B2 Relevance: .1, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3862218451.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_1110000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a422095d5491fe73607e63ce0d8bacec6c22131e61e40b9c35e18dae1781f599
                                                            • Instruction ID: 832378fd28667167c5a37899e37015d69d757016b3d77aeee06c6e83586375ec
                                                            • Opcode Fuzzy Hash: a422095d5491fe73607e63ce0d8bacec6c22131e61e40b9c35e18dae1781f599
                                                            • Instruction Fuzzy Hash: 8C118276F01615AFCB54AB79990966EBBF5EF88660F108436EE05D3348EB34C9018791
                                                            Function 00DC0378 Relevance: .1, Instructions: 58COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3861012169.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_dc0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e2ae32958f4a6c49f675103a83c61af2f42b41885ca701c73ad8eb31c730b0c4
                                                            • Instruction ID: 1a8b863c4ed2c758510de406b32a7947c350507ad8d83efeaee2216b08a800c1
                                                            • Opcode Fuzzy Hash: e2ae32958f4a6c49f675103a83c61af2f42b41885ca701c73ad8eb31c730b0c4
                                                            • Instruction Fuzzy Hash: BB118C303003168FDB18EF69D494A6ABBE6FBC5354B20863CD51A9B784DF329D05CBA1
                                                            Function 00DC1988 Relevance: .1, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3861012169.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_dc0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 30436c75a1ab2e6ad23f60ef36e4d8b510ca299805497ee69bf356cb86db30e7
                                                            • Instruction ID: 1f95085de4411541eed45b046f74fad47dffaf7dd57b012a2c0d4300b9adb3ab
                                                            • Opcode Fuzzy Hash: 30436c75a1ab2e6ad23f60ef36e4d8b510ca299805497ee69bf356cb86db30e7
                                                            • Instruction Fuzzy Hash: D9119E35504349DFCB028FA4C82898ABFB1FF4B310B0984EAE554CF272D7319825CB61
                                                            Function 00DC16F1 Relevance: .1, Instructions: 55COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3861012169.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_dc0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 47d01a8a891b067ffe23dfd401a621eae7ce97068a91c05e8d1bd760ab705739
                                                            • Instruction ID: 1c66258d655f5e95d3aa950e4b17725f7c2af8ada1051babcb3cf41ed22327aa
                                                            • Opcode Fuzzy Hash: 47d01a8a891b067ffe23dfd401a621eae7ce97068a91c05e8d1bd760ab705739
                                                            • Instruction Fuzzy Hash: 5B11A078604322DFC3258B698984B22BFA5FB8A700B18885ED082C7696D771E801CBA0
                                                            Function 01116B99 Relevance: .1, Instructions: 54COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3862218451.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_1110000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 50aa8eccf711b4d548a9e653a23c4b224f50e46cf4f55d774953f4549eddb9d8
                                                            • Instruction ID: 6cbaf9a95e10876dda190b67fc251da30700bfbadf3a06fee70aad67c3057066
                                                            • Opcode Fuzzy Hash: 50aa8eccf711b4d548a9e653a23c4b224f50e46cf4f55d774953f4549eddb9d8
                                                            • Instruction Fuzzy Hash: 4D11C0317046049FC315AB7CD46576EBBB6EFC5310F2088AAE48AC7390EF7A984187A1
                                                            Function 01111488 Relevance: .1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3862218451.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_1110000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 43ddc39e617a20a46697a2bdf90c59dcc5085aee1025f4f988f5d9d960f528a1
                                                            • Instruction ID: 43cdc4a5983990a0331a31d9dae9982edf3809bd6414b3fd94ef1ac74d37b78b
                                                            • Opcode Fuzzy Hash: 43ddc39e617a20a46697a2bdf90c59dcc5085aee1025f4f988f5d9d960f528a1
                                                            • Instruction Fuzzy Hash: 50016D31E002169FCB29EFB884401AEFBF5EB49254F250479E905E7209E736C8818B92
                                                            Function 00DFD03F Relevance: .1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3861223437.0000000000DFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_dfd000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                                            • Instruction ID: c16caf52cd0d860a1c50bacdca108f50502001dfecceae8860b04c1012893889
                                                            • Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                                            • Instruction Fuzzy Hash: 6C11DD75504288DFCB11CF10C9C4B25BBA2FB84324F28C6ADD9494B292C73AD84ACF62
                                                            Function 00DFD207 Relevance: .1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3861223437.0000000000DFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_dfd000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 862c65023cd92449f428095a58a3181619df817727a273a2fecd008dac0e22f8
                                                            • Instruction ID: c82b299f2fb6be45f8855bd50bb64aaf798d6dbc77a998c2a9a3a5ab65afff4b
                                                            • Opcode Fuzzy Hash: 862c65023cd92449f428095a58a3181619df817727a273a2fecd008dac0e22f8
                                                            • Instruction Fuzzy Hash: 3111B276504288DFDB12CF14D5C4B25FB62FB84324F29C6A9D9494B656C33AD806CBA1
                                                            Function 00DFD3B7 Relevance: .1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3861223437.0000000000DFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_dfd000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                                            • Instruction ID: e9c93e01d6b2f908acd59acc4acf814a3346d0d8bc483dcd52fc10605bf7c1e2
                                                            • Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                                            • Instruction Fuzzy Hash: 15119075504244DFCB05CF14D5C4B25FB62FB44314F28C6ADD9494B656C33AE84ACF61
                                                            Function 0111A6C0 Relevance: .1, Instructions: 51COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3862218451.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_1110000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8cefaa1dde781c489263353ce87786d52da1f5b17fec06c6c44d55b63c562e4e
                                                            • Instruction ID: bea02fe4a55516c05f499d4e7112ed10667bd840b5a4bc68dd7e8510ef5c783a
                                                            • Opcode Fuzzy Hash: 8cefaa1dde781c489263353ce87786d52da1f5b17fec06c6c44d55b63c562e4e
                                                            • Instruction Fuzzy Hash: 09019630A002048FDB14EF59E94479ABF76FFC4311F548174D9485B29AE771AE45CBA1
                                                            Function 011144A3 Relevance: .0, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3862218451.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_1110000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 257eddcc4db77232dfb566c9aab90f866f7bc622114148298feb2202924ea554
                                                            • Instruction ID: bd5f3b48a5055b9df3ec1db066a1132d4d4faf45d4ddc1b4caf80491dea29747
                                                            • Opcode Fuzzy Hash: 257eddcc4db77232dfb566c9aab90f866f7bc622114148298feb2202924ea554
                                                            • Instruction Fuzzy Hash: 5111F230C04249CEDF38DAA8E9987ECF7B1AF5571AF14183AC001B6999EB7558C9CB12
                                                            Function 00DC1CA0 Relevance: .0, Instructions: 48COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3861012169.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_dc0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9c40be3668763f72e109fa82f6f4162f0da7133154226f21c2503fa65d06613d
                                                            • Instruction ID: 14e9bcfbfb398006e3f232272565525efe75b5f581cb3c678f09ad16ff7ad1dd
                                                            • Opcode Fuzzy Hash: 9c40be3668763f72e109fa82f6f4162f0da7133154226f21c2503fa65d06613d
                                                            • Instruction Fuzzy Hash: F21125B98042498FDB20DFAAD484BDEBBF4AB49320F24845AD459A7740C374A944CFA1
                                                            Function 00DC27F5 Relevance: .0, Instructions: 48COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3861012169.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_dc0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cb18f127a7df9dbca90e003f5ea069a854b7cdfaae470874c88b34c15d7f521e
                                                            • Instruction ID: 3afda7beec37e3621a0511bfef5d00b1bddbc2f314a0e746a517346d9cbfb49b
                                                            • Opcode Fuzzy Hash: cb18f127a7df9dbca90e003f5ea069a854b7cdfaae470874c88b34c15d7f521e
                                                            • Instruction Fuzzy Hash: 8011277190021ADFDB20CF9AD844BEEBBB1FF48320F148129E464AB2A0C3705A44CBE0
                                                            Function 00DC0B74 Relevance: .0, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3861012169.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_dc0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 21231c6595ec02f0addfe20de1b7fd104fd54ff81cbc3f0ac6391d843a20869a
                                                            • Instruction ID: 13b05e3edd17de6eb3da0d807f32389c7d61685ac800a9903a07c112eb95f018
                                                            • Opcode Fuzzy Hash: 21231c6595ec02f0addfe20de1b7fd104fd54ff81cbc3f0ac6391d843a20869a
                                                            • Instruction Fuzzy Hash: CE01923C200722DBD3248B698984F27BBE5FB86B01F24891DD44783A91C771E8019BA4
                                                            Function 00DED8DD Relevance: .0, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3861161285.0000000000DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DED000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_ded000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 51caf67b99da1b4ed7694a7a2702c955afe9ea6e84b4b0d0ef6658f3ab462922
                                                            • Instruction ID: 229cb10c7c10d5531f89084819f6f08c80cc4e28e677e7e3da6c6de80b50ff7e
                                                            • Opcode Fuzzy Hash: 51caf67b99da1b4ed7694a7a2702c955afe9ea6e84b4b0d0ef6658f3ab462922
                                                            • Instruction Fuzzy Hash: 8D01F2710083889AE7106A12DCC0B6ABB99EF81725F18C01AEC490B283CB389C00CFB2
                                                            Function 00DC1CA8 Relevance: .0, Instructions: 44COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3861012169.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_dc0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2b1664b48488e9ec00f82fd6756679f419cb8e6944524466d1bb7ff1e5d2cde8
                                                            • Instruction ID: fb7e2348146eed687b6dfe71d66f1dd2d23651e27262d2f5c86a6bdf6c50d29e
                                                            • Opcode Fuzzy Hash: 2b1664b48488e9ec00f82fd6756679f419cb8e6944524466d1bb7ff1e5d2cde8
                                                            • Instruction Fuzzy Hash: D81112B98003498FCB20DF9AD484BDEFBF8EB49320F20841AD559A7740C378A944CFA5
                                                            Function 00DC1921 Relevance: .0, Instructions: 44COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3861012169.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_dc0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9cd20123614eeaa3dd84caa5dec07b73dd9cf89de70d8b39198e76f55fe0faea
                                                            • Instruction ID: b0f026f9844f2cf53d9193b5a42d3b230524b69f0eaf68cfb18c3833a1ae805f
                                                            • Opcode Fuzzy Hash: 9cd20123614eeaa3dd84caa5dec07b73dd9cf89de70d8b39198e76f55fe0faea
                                                            • Instruction Fuzzy Hash: AB01A73490D3809FDB22CFA9D824495BFF5AF0B31070945DBD481CB262D7309D18CBA1
                                                            Function 01118F20 Relevance: .0, Instructions: 38COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3862218451.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_1110000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d157a5255b36180a3cef805e815b92c8a736d95a034208699bd1000299c23ad8
                                                            • Instruction ID: e2476ec569e7f0a138a2bd2f1f5de3ea62734ea47bf9c80a857d9712f78abbc1
                                                            • Opcode Fuzzy Hash: d157a5255b36180a3cef805e815b92c8a736d95a034208699bd1000299c23ad8
                                                            • Instruction Fuzzy Hash: 98016230901359EFDB41FBB8FA415AD7FB1FB84304F6049AAC8099B255EB316E0587A2
                                                            Function 01117EA8 Relevance: .0, Instructions: 38COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3862218451.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_1110000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3a175ba1afe5b67f1cbaf1aa01b42cd0466ee9f0dca0dd7b555fe4eff6fe6870
                                                            • Instruction ID: 74d4233e7728c29292359513c613779cd7e4c104c122edf9ec44c23624266cdd
                                                            • Opcode Fuzzy Hash: 3a175ba1afe5b67f1cbaf1aa01b42cd0466ee9f0dca0dd7b555fe4eff6fe6870
                                                            • Instruction Fuzzy Hash: 32012834B01215CFDB18DB64D558B6D7BB2EF88225F1444A8E9028B3A4CF35AE42CB51
                                                            Function 00DC2891 Relevance: .0, Instructions: 37COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3861012169.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_dc0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7bf5b41a204b5d777eb8bead8266662dcba2b96da4bc1dc8ab1be39c16bcc7ce
                                                            • Instruction ID: e1864085d2d6cb24e9646e1888c44e32f936546e07434f2144b5daaba774aa9a
                                                            • Opcode Fuzzy Hash: 7bf5b41a204b5d777eb8bead8266662dcba2b96da4bc1dc8ab1be39c16bcc7ce
                                                            • Instruction Fuzzy Hash: E5F0B4367492845FD301966A9C50AAABFB9EFD761071941EBE445C73A2C5A05C04C770
                                                            Function 00DC0430 Relevance: .0, Instructions: 36COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3861012169.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_dc0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 719031b7a7dd529d0b336248eac6cedccff3ca3aa7351c5dbc86a884a16d7ce7
                                                            • Instruction ID: 1fe6aa5d63e226ec7912ea494300fd6044d77cd4c91b8498ba2d04ff0d62486e
                                                            • Opcode Fuzzy Hash: 719031b7a7dd529d0b336248eac6cedccff3ca3aa7351c5dbc86a884a16d7ce7
                                                            • Instruction Fuzzy Hash: 1BF0A7313085409F87059B5F985885ABFBAFFCA75031680EED10DCB362DA219C068760
                                                            Function 01111514 Relevance: .0, Instructions: 36COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3862218451.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_1110000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8744787f625d0d899e21b976c23815351c84df149c3dc6d2e949df7d295092e1
                                                            • Instruction ID: 8b86fcad06b88924b76ceff5a0e0830646068138ea949024f608deedcb1f2251
                                                            • Opcode Fuzzy Hash: 8744787f625d0d899e21b976c23815351c84df149c3dc6d2e949df7d295092e1
                                                            • Instruction Fuzzy Hash: 16F02B37A04211DFDB198BF894911ACFF71FE6A221B5900F7DA02DB209D325D442C753
                                                            Function 00DED8DC Relevance: .0, Instructions: 36COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3861161285.0000000000DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DED000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_ded000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 98ebc867e0935c277ee9317702d16401c6447f30611e1ecd41746fbac31df212
                                                            • Instruction ID: b11d184ec0942fd58e3f38d4707896147e1d89b95cce861737d8b943a793b55c
                                                            • Opcode Fuzzy Hash: 98ebc867e0935c277ee9317702d16401c6447f30611e1ecd41746fbac31df212
                                                            • Instruction Fuzzy Hash: 51F0CD71004384AEE7109A06CCC4B66FFA8EB91734F18C05AED484B283C278AC44CFB1
                                                            Function 00DC2800 Relevance: .0, Instructions: 34COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3861012169.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_dc0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fbecb7b8b5d49a75e27458790df563621fc9529c45bd495eb6659eb4c62b997d
                                                            • Instruction ID: e2cc671e4aa976917c65ccccf792957316c3a83b734ed4429b9428a24539a180
                                                            • Opcode Fuzzy Hash: fbecb7b8b5d49a75e27458790df563621fc9529c45bd495eb6659eb4c62b997d
                                                            • Instruction Fuzzy Hash: 0801A870C0021ADFDB25DFAAC4447AEBAF5BF48350F248629E424AB2A0D7744A44CBE0
                                                            Function 00DC2BB8 Relevance: .0, Instructions: 33COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3861012169.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_dc0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7aa63a77755dc33566474425d337ab4e178fbf5ff15183828f3c76a77888bce9
                                                            • Instruction ID: 9bf34df3c5f36ac9fef9228ecb23089ca86762c2de29cc42b0f835f45ac2281a
                                                            • Opcode Fuzzy Hash: 7aa63a77755dc33566474425d337ab4e178fbf5ff15183828f3c76a77888bce9
                                                            • Instruction Fuzzy Hash: E3F037B8D4434A9FCB14DFA9C815ABEBFF4AB08300F4048A9E544E7251DB7496458BA0
                                                            Function 01118F30 Relevance: .0, Instructions: 33COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3862218451.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_1110000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ac28b357edd5841b0ac67efe59feebc4a2496e02f142283c9e8288df00da620f
                                                            • Instruction ID: fd207fd7be055f1b4a8b39f840959501a65447b2b72c4776f353b79f47ea5546
                                                            • Opcode Fuzzy Hash: ac28b357edd5841b0ac67efe59feebc4a2496e02f142283c9e8288df00da620f
                                                            • Instruction Fuzzy Hash: 28F0FF34900219EFDB41FFA8FA4199D7BF1FB84704F20866AC4099B259EF316E058B92
                                                            Function 00DC28A0 Relevance: .0, Instructions: 30COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3861012169.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_dc0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c43d74c4b3a9f1b4c861a08348f230216dce59aaa26f8c86dbe11624fb07d7fd
                                                            • Instruction ID: 953d000f72380eb0125e9905960217b6bcbc1e479b4fffe3d26347537e6b2522
                                                            • Opcode Fuzzy Hash: c43d74c4b3a9f1b4c861a08348f230216dce59aaa26f8c86dbe11624fb07d7fd
                                                            • Instruction Fuzzy Hash: 52E06D317002186FD3049A5A9C44E6BFBEEEFC9A20B21806AF504D7361CAB0AC0186A4
                                                            Function 00DC28E0 Relevance: .0, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3861012169.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_dc0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6c49eac71f014d3eace14e417f66c7e2330c00605d7827fec5e5785eb8edef12
                                                            • Instruction ID: 1c22dbf396267b924e8b53f4275aeb725eb0a2d618da4978292092462012d0f2
                                                            • Opcode Fuzzy Hash: 6c49eac71f014d3eace14e417f66c7e2330c00605d7827fec5e5785eb8edef12
                                                            • Instruction Fuzzy Hash: EEF065363492805FC3158B2ADC94D55FFA5EF9A63071640ABF589CB372C6209C05C760
                                                            Function 00DC2BC8 Relevance: .0, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3861012169.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_dc0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b7c5d68d690140345b00389d3dda87bbe8e755f3596f2e2758bb0cc9f54b152f
                                                            • Instruction ID: a785c79f7db4dffcfcd26865f01c57786717ee67a5d0409d2a0812d1ee837164
                                                            • Opcode Fuzzy Hash: b7c5d68d690140345b00389d3dda87bbe8e755f3596f2e2758bb0cc9f54b152f
                                                            • Instruction Fuzzy Hash: 08F0DAB0D0430A9FDB54DFA9C941BBEBBF4BB48300F5049A9D918E7351D77496018FA1
                                                            Function 00DC1948 Relevance: .0, Instructions: 27COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3861012169.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_dc0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e3905e9c7e4377007ab7d2ad8220911dcf2e106dd207442ed692dade36573f4a
                                                            • Instruction ID: 171b804fb4dac4328f6c151de3365a3bd96d44a80812c481d6a3fcdee959878c
                                                            • Opcode Fuzzy Hash: e3905e9c7e4377007ab7d2ad8220911dcf2e106dd207442ed692dade36573f4a
                                                            • Instruction Fuzzy Hash: 85F03075E00714AF9B34CFA9D80099AFBF9EF49710B04866EE455D3600D731E9148FA0
                                                            Function 00DC2B61 Relevance: .0, Instructions: 26COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3861012169.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_dc0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9ed843cbbd5f3ed9b22a439326ff5f6cc6d1fdde105eb0f616d738f8a2dd9bd6
                                                            • Instruction ID: 7e4f68ef6386bd64330bc49cd61b6ccc6c65d64079471332298469a3da291a83
                                                            • Opcode Fuzzy Hash: 9ed843cbbd5f3ed9b22a439326ff5f6cc6d1fdde105eb0f616d738f8a2dd9bd6
                                                            • Instruction Fuzzy Hash: CBF0307094420AEFC740DF7AC819B9ABFF1EF04300F2185AAD418EB215D7708604CFA1
                                                            Function 00DC04F0 Relevance: .0, Instructions: 24COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3861012169.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_dc0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0f9f76eea30324738506719f4f2f1f0f15f2086e24d0644aab63a9ec59169f0a
                                                            • Instruction ID: d768ddf6e330b6e44c7466e5d772167fb95484892415641d33175015d81db158
                                                            • Opcode Fuzzy Hash: 0f9f76eea30324738506719f4f2f1f0f15f2086e24d0644aab63a9ec59169f0a
                                                            • Instruction Fuzzy Hash: 8FE0DF31200710CFC7328F68A800A9A7FF8AF49610B09056ED095C3605CB20E908CBA1
                                                            Function 00DC0E51 Relevance: .0, Instructions: 24COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3861012169.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_dc0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0195e66e9719225e63ae9b7d6480e3eefdfa6f3b32fc19be1aa6120359bae170
                                                            • Instruction ID: a39c800643db779af5cef0fc137a8a09cde22e4868b561b9663e5b7232422b43
                                                            • Opcode Fuzzy Hash: 0195e66e9719225e63ae9b7d6480e3eefdfa6f3b32fc19be1aa6120359bae170
                                                            • Instruction Fuzzy Hash: 64F0FE782893454FD706DB24EEA46603B25E74A301F04406BD941CF7E9CBB91805DF22
                                                            Function 00DC28F0 Relevance: .0, Instructions: 23COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3861012169.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_dc0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4339e5d4194583994a32d92941f870ccfe7fe9e0a2dc3f2b19c2260db4495eb6
                                                            • Instruction ID: 5dbf448b8021318348765681d86856948a40a51c53cb3a520a542a1ef97bb474
                                                            • Opcode Fuzzy Hash: 4339e5d4194583994a32d92941f870ccfe7fe9e0a2dc3f2b19c2260db4495eb6
                                                            • Instruction Fuzzy Hash: 04E08C363002006FC3108A0EEC88D06FBEDEFC8630B11802AFA0DC7320CA30AC01C6A4
                                                            Function 00DC0D38 Relevance: .0, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3861012169.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_dc0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2a14526decf1f80c0eeccd2a37ae98df36578ee9e78c177c107c400fd7bd2bbf
                                                            • Instruction ID: d4bd7633119d50c6b5c861c87d3bb0a1e84d1902c79836db3e9ee1d08ab31216
                                                            • Opcode Fuzzy Hash: 2a14526decf1f80c0eeccd2a37ae98df36578ee9e78c177c107c400fd7bd2bbf
                                                            • Instruction Fuzzy Hash: 37E0B6B0609B51DFD7318F69D854A927FF8FF4AB10306899AE882C7626C730E8459B61
                                                            Function 00DC2C59 Relevance: .0, Instructions: 21COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3861012169.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_dc0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cbfb6fa32a5d03474c22925fdbf18c38dabc7208b8b99310c3d9daa0ecbb3eb0
                                                            • Instruction ID: c9d05e9aad4bbe3ca5e916cff628efd77c8c107e86b79f9d401efca4baa97596
                                                            • Opcode Fuzzy Hash: cbfb6fa32a5d03474c22925fdbf18c38dabc7208b8b99310c3d9daa0ecbb3eb0
                                                            • Instruction Fuzzy Hash: 16E08C3210C3894FCB129FA0D894E813FA8AF1734030540A7E484CF026D2209418EB61
                                                            Function 00DC16C0 Relevance: .0, Instructions: 20COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3861012169.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_dc0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a1ad3801e68fa389132e02bec9709d9f4bd32535b15b2142efb853a19aee8fe5
                                                            • Instruction ID: 9ad03aaae6d21e9094e28d517265e3232d59c4bfe78d18dace6c6b1621d4c561
                                                            • Opcode Fuzzy Hash: a1ad3801e68fa389132e02bec9709d9f4bd32535b15b2142efb853a19aee8fe5
                                                            • Instruction Fuzzy Hash: 56D0A7313595696FD60172A9541278D3B5E8B87710F0240A7E008CB196CBA4CC0242FA
                                                            Function 00DC0E60 Relevance: .0, Instructions: 19COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3861012169.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_dc0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: afa037d25313c7fa5105e59a7c1c49d1678794c026829f2a95987abfa000997c
                                                            • Instruction ID: a7a8d565887b232fdf57fd8341cbbed4dd73f132f711b58bd95dd07176fb20f1
                                                            • Opcode Fuzzy Hash: afa037d25313c7fa5105e59a7c1c49d1678794c026829f2a95987abfa000997c
                                                            • Instruction Fuzzy Hash: BAE01A382403098FEB08EF55EE996613B6AF389301F00802BDA018F79CDFB55801DF62
                                                            Function 00DC0500 Relevance: .0, Instructions: 18COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3861012169.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_dc0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3ba54816bbcf0529fb3e18daf2ee41eb0f401050a6afe7c0c472c1c5a0828f73
                                                            • Instruction ID: cbff56b561547b29d6297d130c2414d7fc6a9d6ad2fdb5e89a9aaaa839dc0640
                                                            • Opcode Fuzzy Hash: 3ba54816bbcf0529fb3e18daf2ee41eb0f401050a6afe7c0c472c1c5a0828f73
                                                            • Instruction Fuzzy Hash: 12D05B30700710CB4B75DF29A40095E77FCAF44750304091ED456C3600DB71ED044BD5
                                                            Function 00DC2B70 Relevance: .0, Instructions: 18COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3861012169.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_dc0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 00f7eedae35a10df9ff5d61094a8bc4095ae67efbe1f8bca15cbb6acbfec0235
                                                            • Instruction ID: 9d001c360c54ce83bc9cfc0f2986145540639a4f950ee81535b28cfe04f04cbb
                                                            • Opcode Fuzzy Hash: 00f7eedae35a10df9ff5d61094a8bc4095ae67efbe1f8bca15cbb6acbfec0235
                                                            • Instruction Fuzzy Hash: D3E0B6B0D4020ADFD740EFB9C905B6EBBF1BF08300F2185A9D019E7255E7B49A048FA1
                                                            Function 00DC16D0 Relevance: .0, Instructions: 12COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3861012169.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_dc0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 909ec79b9a257a4a8c30bda00cd9229c0415de963bf93ed0977bf7f24b57f665
                                                            • Instruction ID: b9c995943c776ebd3e83719c1ffce1f08d1e4a0dac69016a2d7ac49732730d69
                                                            • Opcode Fuzzy Hash: 909ec79b9a257a4a8c30bda00cd9229c0415de963bf93ed0977bf7f24b57f665
                                                            • Instruction Fuzzy Hash: 44B09B2171557913D904719D6411A9D768F8786665F00017BB50D877415DD59D4102F9
                                                            Function 00DC0253 Relevance: .0, Instructions: 11COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3861012169.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_dc0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f38c5679744742af99dcd6b08157b85c7f9b2bb4915a1bf15782dc387e4b3792
                                                            • Instruction ID: 80e9d812f60b0017da6d2a60ba356c83c3d3bee7007d4e47b1353289c891f485
                                                            • Opcode Fuzzy Hash: f38c5679744742af99dcd6b08157b85c7f9b2bb4915a1bf15782dc387e4b3792
                                                            • Instruction Fuzzy Hash: 7CD0927084421ACFEF218F85C81CBEEBA70BB04304F10051DD001A6194CBB90949CF64
                                                            Function 00DC0341 Relevance: .0, Instructions: 11COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3861012169.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_dc0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fcb2729f3238555e542d0f5231912a554a4b49212f7c77a0887408b64a953c32
                                                            • Instruction ID: 6a39b85d424c189529b73da3e04cedc916c617ff1d28a3cd7d6ceb4c47636553
                                                            • Opcode Fuzzy Hash: fcb2729f3238555e542d0f5231912a554a4b49212f7c77a0887408b64a953c32
                                                            • Instruction Fuzzy Hash: DFD0677004A7808FCB068F559D585417F709B0621572642EBC0648A2E3C275854AD7A2
                                                            Function 00DC04D0 Relevance: .0, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3861012169.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_dc0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1a660e0536537c731596bca78cb141d88c17b014677ed8e086a0b07b8100b482
                                                            • Instruction ID: 327f88d127d5f00b4eee3ae7ca22cf71e34682757a72c1f1d693e811571bb56f
                                                            • Opcode Fuzzy Hash: 1a660e0536537c731596bca78cb141d88c17b014677ed8e086a0b07b8100b482
                                                            • Instruction Fuzzy Hash: 86B092925093418BE6855632CC0B2AA2A614BD2100B4AE0A280419956FEA5A88468521